Aussie students expose Snapchat's inner workings

SnapChat, the latest social networking tool to catch on among youth culture, doesn’t purport to be taken too seriously.

It offers a photo sharing service via which images shared between friends can only be seen for a few seconds before they are deleted from the social network’s servers.

Snapchat's ephemeral approach has taken hold in an era that espouses “living in the moment”, free from commitment or responsibility. It offers the sharing capabilities of Facebook without necessarily publishing private moments for all and sundry - and has grown rapidly, now sending in excess of 350 million ‘snaps’ a day.

But while the company can afford to turn down a US$3 billion buyout offer from Facebook, it has not afforded itself watertight IT security - at least not to the level of privacy users might expect after reading its comprehensive privacy policy.

A group of Australian youngsters - all students with no formal education - have reverse engineered the Snapchat service using only its API (application program interface) and readily available InfoSec tools.

Calling themselves ‘Gibson Security’ or ‘GibsonSec’ for short, the group started tinkering with these tools in an effort to figure out how Snapchat worked, and whether it indeed could be trusted to delete images immediately after they are viewed by a recipient.

“This project initially started out as us trying to satisfying our curiosity over how Snapchat would securely send snaps, and to emulate that process for some fun,” one of the group told SC Magazine, on condition of remaining anonymous. “Once we found the exploits, it was another thing altogether, and we decided to take it a bit more seriously.”

In August, the group disclosed that it had found a flaw in the app’s ‘Find Friends’ function. This asks new users of the service to provide their mobile number and for access to their phone’s address book and make connections between friends. These mobile numbers are stored on Snapchat’s servers as ‘hashes’ (mathematical representations of the real number) and are used as the unique identifier to match a new user with existing users they already make contact with.

GibsonSec exploited this by spinning up a virtual server and “masquerading as the Snapchat client and iterating through every phone number in a phone range”, discovering that the theoretical maximum after which Snapchat would block such attempts was 75,000 phone numbers. They were able to crunch 10,000 phone numbers in seven minutes and estimated they could match a phone number and name to every Snapchat user in 20 hours using only $10 of cloud computing credit.

“This feature also exists in many other social networking applications and is really fundamentally broken,” one of the group told SC. 

Developers have also discovered that Snapchat’s encryption keys are stored in plain text in the Android app.

“It takes all of a minute to obtain the bytecode of an Android application using tools such as smali or baksmali. From here, you just find the crypto classes which stick out like a sore thumb and copy the keys.”

Numerous third party apps surfaced in app stores that took advantage of the reverse engineered API, proving that unread photos could be accessed, replaced or stored on a more permanent basis by unauthorised parties. Snapchat has been sending takedown requests to these developers, claiming that because third party apps are not permitted to access the Snapchat API, their apps amount to “an unlawful circumvention device.”

After five months of inaction on its original disclosure, GibsonSec decided to publish a full disclosure of the vulnerabilities it had discovered on Christmas Eve, including a proof of concept showing other developers how they could obtain masses of phone numbers from the service.

“An IT professional, could in a small timeframe, build a large database of users and phone numbers,” iTnews was told. “With any programming experience, this process could be made even faster.”

Snapchat responded cordially in a blog post on December 27, arguing that theoretically, “if someone were able upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way.”

“Over the past year we’ve implemented various safeguards to make it more difficult to do," the social network announced on its blog. "We recently added additional counter-measures and continue to make improvements to combat spam and abuse.”

The response “disappointed" the young hackers.

“It seems as if they dismissed the attacks completely, playing it off as a theoretical attack, trying to imply that this exploit would be of no use,” SC was told.

The group now hopes to help Snapchat build a workaround for the problem after contacting the social network's director of operations, Micah Schaffer.

From there, they are planning “more mobile reverse engineering, unless something fun comes along.

“We're looking at some really big social networking apps, but we're not sure which one we're going to work on next.”

Copyright © SC Magazine, Australia