Snapchat logo (Photo Credit: Snapchat)
Snapchat says it is adding new user privacy features after a holiday hack last week, when hackers exposed the private information of about 4.6 million Snapchat users. The young social media company also said it would beef up internal security to make it more difficult to get at account information, but noticeably offered no apologies.
Snapchat announced the changes in an official blog post published Thursday, which it says will make it harder for attackers to get "Snapchatters'" phone numbers and username information. At the same time, the social media network effectively laid the blame for the security breach on security group Gibson Security for publishing details on the potential vulnerability in the first place.
"The Snapchat community is a place where friends feel comfortable expressing themselves and we're dedicated to preventing abuse," said the post, after detailing changes to Snapchat, the most important of which is a change to user options within the app: "We will be releasing an updated version of the Snapchat application that will allow Snapchaters to opt out of appearing in Find Friends after they have verified their phone number."
Find Friends is Snapchat's address book/username matching system intended to help users connect with people they may already know in Snapchat (and vice versa), which is not an unusual feature for social media networks to have.
What is unusual for a social media company is how Snapchat responded to a public notification of a possible security risk in its phone number/username-matching system.
While the white hat hackers "Gibson Security" didn't do the social network any favors by publically posting details of the information-mining API vulnerability on Christmas Eve, Snapchat itself did its users no favors by responding days later with a blog post that basically brushed the problem aside.
"Theoretically," said the Dec. 27 Snapchat response to the security vulnerability, "if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way." Snapchat said that it had implemented "various safeguards" and "additional counter-measures" throughout the year to make that kind of exploit "more difficult to do." And that was it.
Sure enough, theory turned to reality a few days later, when the site Snapchatdb.info went live "Bringing 4.6 million users' information to your fingertips" in a database of phone numbers and usernames.
The cybersecurity community, already upset at Snapchat's initial (non) response, may feel only a little better at Snapchat's ever-so-slight change of tone in the latest response: "We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns."
But really, Snapchat was just getting another dig at Gibson for publically publishing the vulnerability in the first place: "The best way to let us know about security vulnerabilities," continued Snapchat's post, "is by emailing us: firstname.lastname@example.org."
Throughout the Find Friends fiasco - which began in August when Gibson Security published a report about the vulnerability - Snapchat had been reluctant to respond to calls for major changes.
And now, even after the vulnerability turned out to be more than theoretical, the company did not offer an apology to security experts who have been calling for changes to the Find Friends system for months, some of whom are now even more outraged.
Neither did Snapchat apologize to its users.