Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Snapchat Update Addresses Security Hole

timothy posted about 7 months ago | from the you've-got-mail dept.

Security 58

Snapchat has released an update to address the security problems exposed recently by Gibson Security and subsequently (and quickly) exploited. From the article: "Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."

cancel ×

58 comments

Big lesson (5, Informative)

Anonymous Coward | about 7 months ago | (#45864193)

Pity that it took such a brutal action by GRC to change this companies point of view.

Re: Big lesson (4, Funny)

Anonymous Coward | about 7 months ago | (#45864205)

They should have taken the $3 billion when they had the chance. These aren't real business people, they're techies who are holding on to a hot property. They need to know when to let the professionals start running things so they can turn it into a viable company.

Re: Big lesson (-1, Troll)

Anonymous Coward | about 7 months ago | (#45864283)

Techies aren't real people. Techies are dimwitted naive idiots who belong in prison far away from society. Real people are the lying scheming psychopaths who do the real work in the real world.

Re: Big lesson (3, Insightful)

DarkOx (621550) | about 7 months ago | (#45864427)

You mean the business people who usually buy these "tech firms" for a billions and sell them a few years later for millions as is the usually pattern, those business people?

Re: Big lesson (0)

Anonymous Coward | about 7 months ago | (#45864455)

You mean the business people who usually buy these "tech firms" for a billions and sell them a few years later for millions as is the usually pattern, those business people?

Yes, those business people. An entrepreneur needs to know when to sell to a greedy company. The fact that the buyer doesn't know how to run the newly purchased company is not the entrepreneur's fault.

Start-ups are a lot like poker. They're a big gamble, you need to bluff your ass off to get people to continue to throw money into the pot, and you need to know when to cash out.

Re: Big lesson (0)

Anonymous Coward | about 7 months ago | (#45864541)

And that's how business adds value, by deceit! Meanwhile the means of production are outsourced, leaving a society of useless people who produce nothing.

Re: Big lesson (0)

Anonymous Coward | about 7 months ago | (#45864555)

And that's how business adds value, by deceit! Meanwhile the means of production are outsourced, leaving a society of useless people who produce nothing.

Freeing them all of their labor obligations and allowing them time to become an entrepreneur and create the next SnapCrap.

Re: Big lesson (0)

Anonymous Coward | about 7 months ago | (#45865087)

And make their money on the percentage from the initial sale. Yes, those guys.

Re: Big lesson (2)

MrBingoBoingo (3481277) | about 7 months ago | (#45864603)

Well, the big problem here is how his CEOness handled the aftermath. This everything is everyone else's fault mentality he has is going to keep him from ever getting that three billion dollars. I mean when asked if it would kill him to take one iota of responsibility he answered "Yes".

Re: Big lesson (0)

Anonymous Coward | about 7 months ago | (#45865039)

What else do you expect from a company founded by frat boy "brogrammers"?

Re: Big lesson (0)

Anonymous Coward | about 7 months ago | (#45865331)

Came here to ask how many Instagrams they think they're worth now.

Re:Big lesson (1)

Anonymous Coward | about 7 months ago | (#45864423)

GRC (Gibson Research Corporation) is different from Gibson Security, which seems to be an anonymous group.

Re:Big lesson (0)

Anonymous Coward | about 7 months ago | (#45864693)

Not GRC. GRC only knows how to FUD, not find real vulnerabilities. Gibson Security is a different group.

Re:Big lesson (1)

not_a_bot (633300) | about 7 months ago | (#45877217)

I'm not sure they actually learned anything. If you look at the language "We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service ". It seems clear that they keep the public position that it is the researchers' fault for finding the holes and making Snapchat look like amateurs.

NSA email (5, Funny)

Anonymous Coward | about 7 months ago | (#45864199)

To: security@snapchat.com
From: NSAops@langly.gov

Subject: Latest Snapchat security update

We were using that you bastards!

Re:NSA email (1)

Anonymous Coward | about 7 months ago | (#45864255)

To: NSAops@langly.gov
From: security@snapchat.com

Sorry, had to for PR reasons. Another new version with new deniable hole will be released shortly. Details will be reported as usual.

Re:NSA email (0)

Anonymous Coward | about 7 months ago | (#45864385)

They also have to create some surveillance project around it, christened with some gay name written using capital letters, such as YELLOWPLUSHTOY.

Re:NSA email (1)

Calydor (739835) | about 7 months ago | (#45864265)

Isn't it 'Langley'?

Re:NSA email (2)

TheP4st (1164315) | about 7 months ago | (#45864503)

Isn't it 'Langley'?

As far as I know it's neither. Langley, Virginia is where the CIA HQ are located while NSA have their HQ in Fort Meade, Maryland.

Re:NSA email (0)

Anonymous Coward | about 7 months ago | (#45864791)

To: security@snapchat.com
From : Me

I have found a new exploit.

Sending...
NSA - Message intercepted

NSA - Sending terminated

Re:NSA email (1)

Fnord666 (889225) | about 7 months ago | (#45865495)

Given what we have seen so far there are probably so many weaknesses in this application that the NSA barely even noticed the loss of this one. Since it didn't give them access to the content it was a minor exploit at best. A more likely response is:

To: security@snapchat.com
From: NSAops@nsa.gov

Subject: Latest Snapchat security update

Thanks for not really taking this seriously and just saying that you'll pay more attention next time when someone tells you that you have a issue. We were concerned that you might go back and find the really serious exploits we are using to capture all of the content that flows through your system. No worries then.

Thanks.

A Concerned NSA Analyst

Caveat (5, Funny)

StikyPad (445176) | about 7 months ago | (#45864219)

...adding that emails sent to that address would be deleted after 10 seconds.

Re:Caveat (1)

martin-boundary (547041) | about 7 months ago | (#45864559)

However, in a statement the company said it listens to customers and announced that all the reported security bugs and suggestions would be fixed and implemented in the next revision of the software - using self modifying code that overwrites itself with random bits after 10 seconds.

Re:Caveat (1)

Anonymous Coward | about 7 months ago | (#45864933)

My friend used to be "abuse@microsoft.com", she was the only one who would bother to actually read and answer complaints. It was a thankless job, one that saved Microsoft many thousands if not millions of dollars by revealing some real snakepits before they became embarrassing, and detecting major spam senders early before they could DDOS the core mail servers. But lord, it wasn't pretty.

No need to CC the NSA (0, Offtopic)

Anonymous Coward | about 7 months ago | (#45864235)

They read all security vulnerability reports mailed in the clear anyway.

Still one of the stupidest things of 2013. (4, Insightful)

Anonymous Coward | about 7 months ago | (#45864237)

Turning down 3 billion. Just months before a giant security leak that makes gobs of people leave their service...

Could have all been sitting on a beach somewhere warm and toasty reading about someone elses giant security problem while counting their 3 billion and laughing with relief that they got out and got rich when they did...

Something tells me they won't be getting another offer in the billions.

Re:Still one of the stupidest things of 2013. (1)

pspahn (1175617) | about 7 months ago | (#45864267)

They said the same thing at the Alamo. Or was it an Isotopes game? Pfft. Either way, the sentiment is the same ... wait, who is Snapchat?

Re:Still one of the stupidest things of 2013. (1)

Anonymous Coward | about 7 months ago | (#45864301)

Could have all been sitting on a beach somewhere warm and toasty reading about someone elses giant security problem while counting their 3 billion and laughing with relief that they got out and got rich when they did...

Would have been me, but then, the problem is that people like us who think like this are usually not the ones who make it big to begin with. It is the people who are so driven, so willing to risk and gamble everything, who are not looking for a luxury beach life out but want to continue to spend 20 hour days working even more on their project, to take it even further, even bigger, even after they could score and settle... sigh..

Re:Still one of the stupidest things of 2013. (1)

Anonymous Coward | about 7 months ago | (#45864355)

I could see doing so for something unique and special and most of all... important.

but this is a chat program. a messenger program. Dime a dozen. one of many. just a few days ago we saw here on slashdot a list of other 'delete the message' programs to replace snapchat.

All they really had going for them was popularity. A fad. They are not special. Not unique. And now their popularity is severely damaged. The fad may die and they will be left with nothing.

That was a foolish thing to be driven for when offered 3 billion dollars for it.

I sure wouldn't have taken that gamble. Smile and take the money and now you have the means to create something truely unique, special and important.

Sure money maybe won't buy happiness. But no money won't either. And B... Billion. that's more money than most people will ever see. Tick that off your life requirements box. Money? Check. Got that. Would free up alot of time and resources to get onto what you truely want.

Does not bode well for this company. Security problems. Yup. Turned down 3 billion? Damm.... How stupid are these guys?

Re:Still one of the stupidest things of 2013. (0)

Anonymous Coward | about 7 months ago | (#45864377)

I could see doing so for something unique and special and most of all... important.

but this is a chat program. a messenger program. Dime a dozen. one of many. just a few days ago we saw here on slashdot a list of other 'delete the message' programs to replace snapchat.

All they really had going for them was popularity. A fad. They are not special. Not unique. And now their popularity is severely damaged. The fad may die and they will be left with nothing.

That was a foolish thing to be driven for when offered 3 billion dollars for it.

I sure wouldn't have taken that gamble. Smile and take the money and now you have the means to create something truely unique, special and important.

Sure money maybe won't buy happiness. But no money won't either. And B... Billion. that's more money than most people will ever see. Tick that off your life requirements box. Money? Check. Got that. Would free up alot of time and resources to get onto what you truely want.

Does not bode well for this company. Security problems. Yup. Turned down 3 billion? Damm.... How stupid are these guys?

Sure, but people said exactly the same of Mark Zuckerberg and Facebook when he early on turned down a 500 mill USD cash offer :)

Re:Still one of the stupidest things of 2013. (0)

Anonymous Coward | about 7 months ago | (#45864333)

Turning down money?! What were they thinking? Didn't anyone tell them that women are sexually attracted to money?

your mom (0)

Anonymous Coward | about 7 months ago | (#45865159)

Just because your whore of a moon is attracted to money doesnt mean all women are

Re: your mom (0)

Anonymous Coward | about 7 months ago | (#45865403)

Whore of a MOON? Lmfao! Epic fail right there!

Re: your mom (0)

Anonymous Coward | about 7 months ago | (#45866529)

Whore of a MOON? Lmfao! Epic fail right there!

Maybe it's a "your momma's so fat..."-joke.

Re:Still one of the stupidest things of 2013. (5, Insightful)

cbhacking (979169) | about 7 months ago | (#45864481)

Don't be too sure of that. Purchasers routinely hire security experts to review the security of major acquisitions prior to the buy-out, with various stipulations in the agreement as to what types of findings will be the responsibility of which party. Such a review would likely have found the issue before it was announced publicly.

So few companies are smart enough to bring in security experts *before* they need them.

Re:Still one of the stupidest things of 2013. (1)

Chemisor (97276) | about 7 months ago | (#45864935)

> Turning down 3 billion just months before a giant security leak

Coincidence?

Re:Still one of the stupidest things of 2013. (1)

Antique Geekmeister (740220) | about 7 months ago | (#45865139)

No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost. So it's very rare in the early "get market growth first before someone else can outgrow us and capture the market" phase.

My work is often with slightly more mature environments, where people will be working there next year or 5 years from now, and don't want to suffer exactly this kind of disaster. So I get to see a lot of the cost of cleaning up and re-educating personnel about the risks of this kind of carelessness.

Re:Still one of the stupidest things of 2013. (1)

Fnord666 (889225) | about 7 months ago | (#45865455)

No, but it's correlation, not direct causation. The rapid development common to startups often leads to poor security. Approaches like "if someone can access our machines, we have much bigger problems" lead to storing passwords in plain text, sharing accounts, making the "root" password "root", storing mysql passwords on the monitoring server, and other unfortunate errors. Another month making a project secure, really reviewing the vulnerabilities and updating core components, is time to market being lost. So it's very rare in the early "get market growth first before someone else can outgrow us and capture the market" phase.

I agree, but the rapid development life-cycle is not solely responsible. Even in this day and age, most developers still don't have a good working knowledge of application security. I feel like this is a systemic issue with the education process. Across the teaching spectrum from post-secondary education to "teach yourself" books to boot camp instruction, application security is barely given a mention. Most of the developers that I have hired that did know something about it came from larger development shops that taught application security in house, sent their developers to additional training or they learned it from their mentor. At least with a basic understanding of application security you have a second "hat" that you can put on and look at the application design from a different perspective. You have to be able to look at your application and ask yourself how you could exploit or break it. If you can't, hire or contract someone who can.

POT (Personal Open Terminal) reduces obscurity? (-1)

Anonymous Coward | about 7 months ago | (#45864243)

nothing to hide & no where left to hide it leaves us hobbyist whiner dreamers out where we belong?

regression communications (1)

Anonymous Coward | about 7 months ago | (#45864269)

this is what i look like on POT (Personal Open Terminal); (;^)-)=| so looks don't matter either

Too bad its news... (1)

akozakie (633875) | about 7 months ago | (#45864307)

Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

Anyway, I'm more and more convinced that keeping a successful product, taking responsibility for it and developing it further might be The Right Thing (for the customers and the code), but is not the right business strategy. If your product becomes successful enough to prompt a giga$ offer - sell. Immediately. If you really want to keep working on it, insist on keeping some technical management position (you won't have full control anymore anyway).

Re:Too bad its news... (0)

Anonymous Coward | about 7 months ago | (#45864439)

There was nothing correct about their initial response to the reported vulnerability. They didn't give the guy the time of day - they simply dismissed him out of hand.

SpanChat got what they deserved. They recklessly exposed users' information just so they could search for each other. They didn't implement it securely, they didn't put a rate limit on it, and they didn't make it encrypted so only the app itself could request or receive the info.

Let's hope this cost them at least one '0' from their next offer.

Re:Too bad its news... (1)

Desler (1608317) | about 7 months ago | (#45865009)

Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

What was a correct response? That they initially claimed this wasn't an issue and blew it off? [techcrunch.com]

Snapchat hadn’t provided a public statement until now, and what it’s offered isn’t very satisfying. “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way. Over the past year we’ve implemented various safeguards to make it more difficult to do.” It goes on to note it’s added more barriers to the use of this hack.

Looks like it was not as "theoretical" as they claimed.

Re:Too bad its news... (1)

Desler (1608317) | about 7 months ago | (#45865035)

And to add to my previous post, Gibson Security informed them of this hole in August [zdnet.com] and were ignored. In what way is waiting more than 4 months, letting exploit code be posted and user data be leaked before you actually do something a "correct response"?

Re:Too bad its news... (1)

akozakie (633875) | about 7 months ago | (#45865185)

Was my previous post so hard to understand?

Today's summary describes a correct response. I asked why stuff like this must be news, when it should, but clearly isn't, business as usual. How can "please inform us about any security problems here: x@y.z" possibly be newsworthy, not standard procedure since early beta? They could have handled the situation like this from the start. Unfortunately most young web/cloud companies do not care about security at all (heh, as if older ones were much better...) and do not react properly even if informed.

So:

In what way is waiting (...) before you actually do something a "correct response"?

In no way at all and the post you just replied to never claimed otherwise.

Why so angry? Or am I reading too much between the lines?

Re:Too bad its news... (1)

akozakie (633875) | about 7 months ago | (#45865251)

One more unrelated thing:

Unfortunately most young web/cloud companies do not care about security at all

This actually isn't nearly a stupid as it sounds, at least for anything "social". Your users tend to be young and careless or just generally not very privacy and security conscious. With a bit of luck noone will attack you for a while (until you're really big). If you can show quick growth during that time, you should be able to get a huge offer and sell out before any significant attacks happen, making security 100% SEP. Money spent on fixing vulnerabilities is money wasted in this plan - caveat emptor.

The surprising thing is that in this case it worked perfectly as described... but they didn't take the offer. Mindboggling. Sure, they could hold on to it and keep going, but if that was their plan, then they really should have thought about security and privacy from the start.

Re:Too bad its news... (2)

Desler (1608317) | about 7 months ago | (#45865477)

I'm not angry. Also, only doing anything after being exploited is not a correct response. Especially after handwaving the issue away by claiming the attack was only theoretical.

Re:Too bad its news... (1)

akozakie (633875) | about 7 months ago | (#45865581)

One more observation: once actually hit and forced to react by the PR consequences they react quickly and properly. This shows that they were never incompetent about this. They knew from the start how to handle the issue properly. They just didn't give a [CENSORED].

Maybe I'm wrong, but this looks a bit hopeless from the PR side. They had a good run and failed to earn from it. Oops.

Re:Too bad its news... (1)

Fnord666 (889225) | about 7 months ago | (#45865171)

Why oh why must things like this be news? Correct response to a security problem. Too bad it wasn't fast enough to avoid exploitation.

It was not the correct response. They just "hand waved" it off when they were informed of the issue, basically saying that they knew better than the researches that found the exploit. Turns out that they were wrong and paid the price.

Re:Too bad its news... (1)

akozakie (633875) | about 7 months ago | (#45865287)

See my response to Desler's second response. I was referring to today's news, not their initial response. It is a correct response and exactly what they should have done initially.

Dang, seems my post was really misleading...

Never understood snapchat (0)

Anonymous Coward | about 7 months ago | (#45864361)

The solution to sending a message to a person you don't trust isn't to send the message to 2 recipients you don't trust.

The whole concept almost feels like a blackmail scheme is slow motion- get enough dirt on everyone and then start charging so the messages don't become public.

E-mail is not the best way (1)

Anonymous Coward | about 7 months ago | (#45864509)

Evidently, If one cares about improving security quickly, spreading user data all over the web is the best way to let them know.

Amateurish (0)

Anonymous Coward | about 7 months ago | (#45864803)

"researchers could email the firm at security@snapchat.com for any vulnerability discoveries"

Wow, your solution to a massively publicised security flaw was to set up an email account.

How about recruiting lots of security experts yourselves and paying them full time to do this, and making a big public deal about the fact you're improving security this way seeing as you're such a valuable big time company?

This looks unbelievably naive, cheapskate and amateurish.

Re:Amateurish (1)

Shavano (2541114) | about 7 months ago | (#45865269)

And it would be just great if the company didn't provide a way for the public to contact their security staff, right?

Qustion (0)

Anonymous Coward | about 7 months ago | (#45865143)

Is it illegal to use this to Rick Roll 4.6 million people?

Oh sure (1)

Fnord666 (889225) | about 7 months ago | (#45865147)

"Snapchat also said researchers could email the firm at security@snapchat.com for any vulnerability discoveries. 'We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us: security@snapchat.com,' Snapchat said."

I think it's a little too late to be closing the barn door now. The horses are all long gone. They had a major security breach and their chances of a sale or IPO have gone swirling down the toilet. The top Google search results will return news of this hack for years to come.

Unfortunately in this day and age of web application development the security aspects of many projects seem to be an afterthought if they are considered at all. Personally I hope that they and other developers learn from this and begin being more proactive in their security considerations, but I doubt it.

"When", not "if"? (0)

Anonymous Coward | about 7 months ago | (#45866051)

We want to make sure that security experts can get a hold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns.

Am I reading too much between the lines, when I notice they used the word "when", not "if"?

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...