Snapchat’s Find Friends feature is an optional service that asks the user to enter their phone number so that their friends can find their username. If you enter your phone number, than someone who has you in their address book would be able to find you more easily.
In August 2013, a security group reported potential abuse of the Find Friends feature. Shortly after, the team at Snapchat implemented practices like rate limiting to address the concerns. On Christmas Eve, the same security group publicly released Snapchat’s API, making it a lot easier for attackers to abuse and violate their terms and services.
Last week in a blog post Snapchat pointed out it was possible for an attacker to exploit the Find Friends feature allowing them to upload large amounts of phone numbers and match them with users’ usernames.
Earlier this week, attackers released a database of users, partially hidden, phone numbers and usernames. The team reports no other information was obtained. They will be releasing a new version of the app which will allow users to opt-out of appearing in Find Friends, after they verify their phone number. Other features like rate limiting will also be improved.
The Snapchat community is a place where friends feel comfortable expressing themselves and we’re dedicated to preventing abuse.
The folks at Snapchat are making it easier for security experts to report security vulnerabilities them which can be done by emailing them at firstname.lastname@example.org.
[via Snapchat Blog]