An exploit known since August places the privacy of millions of Snapchat users at risk. The Australian hacker group Gibson Security informed the developers of Snapchat four months ago about the exploit which has still not been patched.



The exploit in the application programming interface (i.e. API) enables it that phone numbers can be connected to their associated username. Even if your own privacy settings were set to the supposedly highest level of security, your user data could be collected with ease; the privacy of the approximately 26 million Snapchat users is clearly at risk. Another bug in the code makes it possible to easily create large numbers of fake user accounts with a script. Additionally, photos and videos can be decrypted without much effort.



For data collectors it is an easy game to collect names, phone numbers and even social media profiles related to each other and then spy on the Snapchat users. According to Gibson security it has already come so far to the point that user data has been sold in a "combination package" for a few dollars over the internet.



Snapchat is not uncommonly used as a so called 'sexting-app'. Whether or not the secret nude pictures and salacious messages only went to their intended recipients remains questionable. This serious privacy risk could be used for spamming or, even worse, for staking, scamming or blackmailing Snapchat users.



The vulnerability itself would have been possible close with only ten lines of code. However the advice by Gibson Security has remained unanswered and ignored to this day.



For further information:

Gibsonsec

Here you can find the full report of the vulnerability along with code samples and explanations for the entire process.