Earlier this week, a security firm announced that it had discovered a hole in the security of the popular picture sharing app Snapchat. Apparently, the team at Gibson Security had made attempts to bring this exploit to the attention of the app developers but were ignored for months.
After a while, the team made the decision to release the API for the Snapchat application along with two exploits. One allowed hackers to match phone numbers with Snapchat users' names en masse. The other exploit allowed hackers to create large numbers of fake Snapchat accounts. Together, the API and the exploits will let hackers duplicate Snapchat's API and stalk the application's more than 8 million users, according to reports from TechNewsWorld.
Why did Gibson Security publish the information? Apparently out of frustration that the information it had provided Snapchat on the issue had not been fixed. The information was given to them by Gibson back in August.
Once of these was a flaw in the "Find friends" function that allowed hackers to easily create a database of the usernames and phone numbers of the Snapchat app. Another was a simple denial of service exploit.
The company released the information, API and exploits on its Twitter account. According to ZDNet, Gibson Securities is an Australian-based hacker group. However, little more is known about them at this time.
Analysts have weighed in on the issue saying that Gibson Securities followed basic protocol by publically announcing a hack after being ignored for so long. While it may be a common practice, analysts such as Rob Enderle of the Enderle Group describe the actions saying they "seem more focused on giving [it] notoriety than on actually fixing the problem," according to TechNewsWorld. "It may also reflect a need to punish a firm that doesn't respond properly to a warning."
You always have programmers or hackers who are a bit overzealous and feel that, if a company they've notified about vulnerabilities doesn't react, it's their responsibility to publicize those vulnerabilities to the world," remarked Jim McGregor, principal analyst at Tirias Research.. "The question is, 'how far should you take it?'"
Tell us what you think. Did Gibson Securities do the right thing by bringing these exploits to the public's attention? Should these kinds of knowing exploits be made illegal? Comment and share your thoughts on the hacker/security community with us below.
