This isn't an issue with convenience, this is an issue with Snapchat failing to fix a vulnerability.
How relevant is find_friends to Snapchat now? Is it really needed? Are they getting that many users building relationships for it? Is it worth damaging Snapchats image?
We don't :) (but we'd be happy to take Snapchats money and help them out!)
We documented two exploits, which are exploits, because we are exploiting code that has been incorrectly implemented.
We also noted that Snapchat must have lied to Goldman Sachs (is this what you were referring to?), as we noticed during our research that there is no mention of gender in the protocol.
Sorry about that - I thought it was clear from the context of those off-the-cuff estimations that it was 6666 numbers (since that was based off of how many numbers you could scan, not users).
We've added some clarification just to be sure, thanks.
Just checked and you still have this completely broken paragraph:
"Given user_base = 8,000,000, and a numbers crunchable per minute (ncpm) of approximately 6666, we can assume that it would take approximately 20 hours for one $10 virtual server to eat through and find every user's phone number (hours = user_base / (ncpm*60)). At our worst case of ncpm = 5000, it would take approximately 26.6 hours."
Look at it this way: If they only had 5000 users, would you estimate the time to find all their phone numbers at 1 minute? No.
Why not just take a random sample of 5000 users and look at their snaps to determine if they're male or female? You won't be exact but you'll know if it's 70% women instead of 50%.
Hahahaha, I don't think making it harder to reverse would be any better, it would probably motivate people even more (deobfuscation is too much fun and fairly easy!).
They should really just focus on improving what they have and pushing clients towards a safer protocol slowly.
Snaps being stolen will always happen, but I do like the approach Instagram took to preventing spammers (getInstagramString(), it stopped everyone until they adapted!).
Yep, but at least that would be fun, don't you agree?
I also wonder why didn't anybody set up a Snapchat bot yet: it could successfully impersonate multiple humans by forwarding snaps between pairs of unsuspecting users, gathering a lot of data that way.
Actually, I know of one set up by a friend: snaproulettebot. You send a snap, and it sends you a random one back later from another user. Being called "snaproulettebot" makes it pretty obvious what it is, but you could do it in a more opaque way.
Hi, I'm one of the authors of the above release [1], and the exploit we primarily talked about (find_friends) isn't really an issue with the protocol as a whole.
We understand the need to support legacy clients, but Snapchat could easily limit the damage this exploit could do.
It wouldn't be that hard for them to make the best of what they have, by auditing all the code that typically has these exploits, and from that point onwards, also auditing riskier areas in the code base periodically.
But yeah, we have seen an improvement in some of the Snapchat client code, which indicates there are probably some bright new developers that have just joined the team. We just find it pretty bad that in this time, we haven't seen attempts (on our end, server side may be different) to secure the protocol.
Also regarding communication, we haven't heard a word from Snapchat in 4 months, neither has the reporter of this story, Violet Blue. If any of the guys from Snapchat are reading this (or you can pass on a message), tell them they're free to message us at security@gibsonsec.org.
Just saw your edit, the purpose of this release wasn't to tell everyone we're the nth person to reverse engineer Snapchats protocol, but rather to bring attention to the particular vulnerabilities.
I can speak for the rest of our team, and we're pretty sick of Snapchats protocol, and this will most likely be our last release regarding it.
Yeah, I agree with pretty much everything you said. I too think they could do a lot of things better. Yes, they've been really really slow to fix known issues. I did not mean to denigrate your work, which seems solid. :)
I'm just saying, 9 months down the road, if they had the optimal version of their security protocol, someone could still break in and write a post that "audits" it, just like we get every couple of months on the HN frontpage. Everyone would laugh, again. Some people would know that it's as good as it gets, but most people would just be in it for the circle jerk. There's no win for them here. That's all I'm saying.
*
Also, seeing your edit responding to my edit, sorry, I sometimes post before I work everything out perfectly. This isn't really an indictment of you guys specifically. I think your work is great.
Thanks, and that's totally fine. I agree with you, Snapchats definitely flawed from the start, but as long as we get rid of gaping holes in their security such as the find_friends exploit, at least they're halfway there.
(OT, but you have a really cool project list btw :P)
Offtopic - your name is confusing. I assumed you were Steve Gibson's spin-off into security, which is a poor association to have as he is widely considered an amateur in security matters. Very vocal and assertive, but an amateur nonetheless.
Sorry that really is a mistake on my part. I thought I saw his name attached to it. I'm probably thinking of someone else, again I apologize to all parties involved.
How relevant is find_friends to Snapchat now? Is it really needed? Are they getting that many users building relationships for it? Is it worth damaging Snapchats image?