17 January 2013

Snapchat Security flaw found in app used for 'safe sexting'

Snapchat, the smartphone app widely regarded as being "sexting friendly", exposed users' email addresses since at least mid-December until the flaw was fixed on Thursday.

Many users of the service create usernames unrelated to their identity but also use their personal email addresses when registering, which put their anonymity in doubt while the flaw was active.

The revelation of users' email addresses being exposed comes as security experts have figured out a way to capture videos sent via Snapchat and rival app Facebook Poke before they self-destruct.

Experts also warn that not many Snapchat users are aware that people can see who they have been chatting to on the service by typing a forward slash and their username after the snapchat.com URL in a web browser (i.e. snapchat.com/username).

Geoff Stearns, the creator of SWFObject, a popular open-source JavaScript file for embedding Adobe Flash content on web pages, discovered the email flaw and reported it to Snapchat on December 14.
After waiting more than two weeks for a response, he posted about it to his 1893 Twitter followers on Thursday, along with a link to a web page explaining how the flaw worked.

Josh Miller, who knows Snapchat chief executive Evan Spiegel, spotted the tweet and emailed Mr Spiegel about it. Shortly after, Mr Miller said the email flaw had been fixed after hearing back from Mr Spiegel.

To expose a user's email address on Snapchat all one needed to do was type their username without a password into the app and attempt to log in. Once this failed, a prompt would ask whether a password reset was required. When pressed, the user's email address was then displayed on the screen, allowing for a person with malicious intent to discover their identity by typing it into a service such as Google or Facebook.

Snapchat, Wickr and other apps such as Facebook's Poke have become popular among teens who believe they are a "safe" way to send explicit pictures of themselves to friends.

The reason they believe these apps are safe is because videos and texts sent via them are deleted after a short period of time determined by the sender.

But computer experts have already found ways to save Snapchat and Poke content before it self-destructs, and there is nothing stopping a person from taking a picture of their screen.

Comment about the email flaw is being sought from Snapchat.

smh.com.au 3 Jan 2013

No comments:

Post a Comment