For months, a group of security researchers warned that a major security flaw with the popular photo messaging app Snapchat could allow hackers to steal users' personal data. But researchers at Gibson Security say the company never fixed the problem, and this week hackers stole the phone numbers and usernames of millions of Snapchat users and posted them online.
Snapchat's failure to address the flaw is just the latest example of tech companies ignoring security warnings, either because they're too busy or because they think it's unlikely such an attack will occur, experts say. But hackers keep exploiting such flaws, putting these companies and their customers at risk.
Snapchat allows users to send photos and videos that disappear after viewing. According to the company, people send a combined 350 million images using the app each day. Researchers at Gibson Security first warned the company and the public about a security vulnerability in August, and issued a second warning in a blog post on Dec. 25.
Then on Tuesday, anonymous hackers posted 4.6 million Snapchat users' phone numbers and usernames on a site called SnapchatDB.info. (The site has since been taken down.)
While the disclosure of phone numbers and usernames may seem harmless, such information can be combined with other personal data to launch spam and other targeted cyber-attacks.
Snapchat chief executive Evan Spiegel said Friday he thought his company had "done enough" to prevent such a breach. "But I think in a business like this and a business that is moving so quickly, if you spend your time looking backwards, you're just going to kill yourself," he said in an interview on the "Today" show.
That attitude may be part of the problem. Tech companies have often dismissed warnings from security researchers for "the same reason you ignore health warnings from your doctor," said Bruce Schneier, a security expert who has written several books on the subject.
“You're too busy,” he said. “You're distracted. The abstract risk of a future potential security problem is much less salient than the immediate risk of not doing the important thing that needs doing right now.”
Several major companies, including Facebook and Google, have started paying security researchers who privately report bugs in their products. But some of these researchers say tech companies don't take them seriously, so they choose to go public with their findings.
“This delay or no serious email response frustrates those that feel they are protecting the company's unwitting users from attackers, and at some point they give up waiting for a fix and tell the world,” said Chris Wysopal, chief technology officer at the security firm Veracode.
For example, last August a security researcher discovered a flaw in Facebook that allowed him to post on the walls of people who were not his friends. But the researcher said Facebook didn't respond when he brought his findings to the company's attention. So he exploited the flaw by writing on Facebook CEO Mark Zuckerberg’s wall.
The anonymous hackers who posted the personal information of Snapchat users likewise said their motivation was “to raise the public awareness” about cybersecurity and to “put public pressure on Snapchat to get this exploit fixed.”
Snapchat denies it ignored warnings about the security vulnerability. The company said on its blog that it has “implemented various safeguards to make it more difficult” to steal phone numbers and usernames and plans to release a more secure version of its app.
Snapchat also said it has worked with security researchers in the past, adding, “We are grateful for the assistance of professionals who practice responsible disclosure.”
The company said Thursday that “an attacker” was responsible for the breach this week, and Spiegel said he was “working with law enforcement.”
In a separate blog post, Snapchat also listed an email address where security researchers can reach the company to discuss future security vulnerabilities. "We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns," the company said.