Just finished reading Gibson security’s page on Snapchat’s
security hole and it really made me think for a couple of minutes how I
would fix it if tasked to it.
The issue resides on the "find friends" feature where your friend’s
numbers are sent to snapchat’s API which will respond with a username in
case the number exists. A simple incremental loop could start building a
This are some quick ideas I have:
- "Find friends" feature must be changed to something like "invite your
friends". If your friend accepts your invite, then the username is
revealed and accounts are linked.
- Build a "find friends" request log and then try to find a pattern:
strange sequential number requests should ban user.
- User registration should be limited by IP address and time.
- Improve how API calls are signed.
I believe that security, implementation and feature spec should work
together and not one should follow the other.
What would you suggest as a fix?