Hi, I'm one of the authors of the above release , and the exploit we primarily talked about (find_friends) isn't really an issue with the protocol as a whole.
We understand the need to support legacy clients, but Snapchat could easily limit the damage this exploit could do.
It wouldn't be that hard for them to make the best of what they have, by auditing all the code that typically has these exploits, and from that point onwards, also auditing riskier areas in the code base periodically.
But yeah, we have seen an improvement in some of the Snapchat client code, which indicates there are probably some bright new developers that have just joined the team. We just find it pretty bad that in this time, we haven't seen attempts (on our end, server side may be different) to secure the protocol.
Also regarding communication, we haven't heard a word from Snapchat in 4 months, neither has the reporter of this story, Violet Blue. If any of the guys from Snapchat are reading this (or you can pass on a message), tell them they're free to message us at firstname.lastname@example.org.
Yeah, I agree with pretty much everything you said. I too think they could do a lot of things better. Yes, they've been really really slow to fix known issues. I did not mean to denigrate your work, which seems solid. :)
I'm just saying, 9 months down the road, if they had the optimal version of their security protocol, someone could still break in and write a post that "audits" it, just like we get every couple of months on the HN frontpage. Everyone would laugh, again. Some people would know that it's as good as it gets, but most people would just be in it for the circle jerk. There's no win for them here. That's all I'm saying.
Also, seeing your edit responding to my edit, sorry, I sometimes post before I work everything out perfectly. This isn't really an indictment of you guys specifically. I think your work is great.
Thanks, and that's totally fine. I agree with you, Snapchats definitely flawed from the start, but as long as we get rid of gaping holes in their security such as the find_friends exploit, at least they're halfway there.
(OT, but you have a really cool project list btw :P)
Offtopic - your name is confusing. I assumed you were Steve Gibson's spin-off into security, which is a poor association to have as he is widely considered an amateur in security matters. Very vocal and assertive, but an amateur nonetheless.