Snapchat And Skype’s New-Year cybersecurity bungles

Are you having a Happy New Year thus far? Already we have been brought back down to earth with the realization that hackers posted a database containing 4.6 million names and phone numbers of Snapchat users and compromised the social media accounts of Microsoft’s Skype in two apparently unrelated attacks. The hacks were very different in methodology, in that the Skype incident saw the compromise of Skype’s social media presence and in the case of Snapchat – user information being disclosed. The protagonists in this caper was the “Syrian Electronic Army”, a group of pro-government Syrian hackers, and the other by a lesser known entity claiming that they wanted to highlight Snapchat’s poor security setup.

XDA Developers yesterday revealed some insights into Snapchats alleged attitude to security, I recommend you pop over and read the article by pulser_g2 in its entirety:

“Four months ago, a group of security researchers, known as Gibson Security, identified a flaw in the Snapchat server API.  “Gibson Security found the original flaw in July 2013 and disclosed the issue to Snapchat. Four months later, and no response from Snapchat. They even tried applying for one of the jobs they were advertising! (source) On December 24th, Gibson Security released full documentation of the Snapchat API. The Snapchat API, while not documented, is not in any way hidden from a competent user, as the Snapchat application simple sends requests to the Snapchat servers using a particular format”.

“Unfortunately though, Snapchat seem to be great believers of “security through obscurity,” sending unfounded takedown requests against people working to understand their API. That shows Snapchat has something to hide. After all, reliable, robust, and professional services make their API available freely and openly for people to use.

What followed was Snapchat’s somewhat lackluster statement on the matter, which amounted to saying “they were right, but we don’t think it’s a big deal, so we won’t really do anything about it, short of hiding behind some words about API query limits”. As anyone competent in security can tell you, putting some limits on this API is a short-term stop-gap fix (if done correctly), but isn’t a proper solution”.

Hmm.. So it appears that Spapchat’s attitude may be a factor in bringing this about?
“We used a modified version of gibsonsec’s exploit/method. Snapchat could have easily avoided that disclosure by replying to Gibsonsec’s private communications, yet they didn’t,” claimed the hackers in a statement to TechCrunch. Following news that Snapchat have been hacked, Tim ‘TK’ Keanini, CTO at Lancope commented:

‘Add another 4.6 Million User accounts comprised to the growing total in the past 6 months and we have a real problem on our hands people. Just in the past month, it seems that the frequency of account comprises are so high that people are having to change our passwords on a weekly basis. This is not sustainable. How bad does it have to get before it starts getting better? The more users you have in your online system, the more attractive you are to the advanced threat. They will work all day and all night to penetrate your systems and in turn, you must work all day and all night to ensure that you defend your system.

At some point, product managers of these systems will prioritize security related features over all the other features in the backlog and make it happen sooner than later. Until then, there will be many more stories like this and good luck having to change your password for an upward of 50+ accounts on a weekly basis’.

The offending messages have been deleted from Microsoft’s official Skype blogs and social media sites, but the Syrian Electronic Army have since retweeted copies of their hacked messages. Thus far, reps for Microsoft, Skype and Snapchat have not offered any further updates, explanations or comment.