遭黑客袭击 SnapChat客户信息泄露

  SnapChat是一款业内较出名的“阅后即焚”社交软件,自2011年9月在iOS应用程序专卖店上市以来,SnapChat的人气就一路暴涨,市场估值达数十亿美元,中国本土巨头腾讯公司也投资2亿美元。

9AA1E5C899F26

SnapChat标志

  上个月底Gibson Security安全团队的研究者发布了一份报告,声称热门社交应用Snapchat存在两个漏洞,可能会导致严重的iOS、Android用户隐私泄漏。按照其说法,自八月起Snapchat就一直忽视他们修复问题的请求,无奈之下只能公之于众强制Snapchat做出回应。

71BD1CAC1E7AD15

用户界面

  在两个漏洞中,第一个可用来帮助骇客获取用户的隐私信息(比如电话号码),第二个则可用来创建大量垃圾账户。两者都可能被Spammer或跟踪狂拿来作不轨用途,但Gibson Security表示只要「十行代码」就可以把漏洞搞定。

  这个报告发布没多久,SnapChat网站即遭到了黑客的袭击。在本周二,一个匿名的黑客组织公布了一个数据库,其中是约460万个账户的SnapChat电话号码,不过最后两位都被隐去。

  在假期过完之后,SnapChat官方终于发表声明回应,承认在安全方面存在漏洞,但并未为此致歉。

  该公司周三表示他们会发布一个更新版本的应用程序,用户可以使用该程序退出“找朋友”这一功能,而这个功能恰是让账户被攻击的根源所在。好在这场安全漏洞丑闻或许并不会阻止用户继续使用SnapChat,因为没有帐户在这场袭击中遭受实际损坏。

以下是声明原文:

  当我们首次开发Snapchat时,我们发现寻找其他使用该服务的朋友很困难。我们希望找到在地址簿中找朋友的方法——因此我们开发了Find Friends。该功能是可选服务,可以要求Snapchat输入用户的电话号码,以便用户的朋友找到他们的用户名。

 

  这意味着如果你在Find Friends中输入电话号码,有你电话的人可在他们的地址簿中找到你的用户名。2013年8月一个安全团队首次发表了有关Find Friends可能被滥用的报告。不久我们采取了如评价限制等措施解决这些问题。该团体在平安夜公开了我们的API,使得个人更容易滥用我们的服务和违反我们的使用条款。

  上周五我们在博客中提到,黑客有可能使用Find Friends功能随机上传大量的电话号码,并找到相应的用户名。新年前夕,黑客公开了数据库中经过部分编辑的电话号码和用户名。在这些攻击中没有泄露或访问了其他信息包括Snap。

  我们将发布新版Snapchat应用,允许用户在验证了电话号码后退出Find Firends。我们也将改进评价限制和其他限制,解决以后可能出现的服务滥用。我们想告诉安全专家,如果发现了新的滥用服务的方法应告诉我们,以便我们迅速响应解决这些问题。

  Snapchat社区是用户自由表达自己的地方,我们致力于阻止滥用。如果您发现了问题,请联系邮箱security@snapchat.com

  附注英文原文:

  When we first built Snapchat, we had a difficult time finding other friends that were using the service. We wanted a way to find friends in our address book that were also using Snapchat.So we created Find Friends. Find Friends is an optional service that asks Snapchatters to enter their phone number so that their friends can find their username. This means that if you enter your phone number into Find Friends, someone who has your phone number in his or her address book can find your username.
  A security group first published a report about potential Find Friends abuse in August 2013. Shortly thereafter, we implemented practices like rate limiting aimed at addressing these concerns. On Christmas Eve, that same group publicly documented our API, making it easier for individuals to abuse our service and violate our Terms of Use.
  We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks.
  We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We’re also improving rate limiting and other restrictions to address future attempts to abuse our service.
  We want to make sure that security experts can get ahold of us when they discover new ways to abuse our service so that we can respond quickly to address those concerns. The best way to let us know about security vulnerabilities is by emailing us:security@snapchat.com.

原创文章转载请注明:转载自 七行者博客

本文固定链接: https://www.qxzxp.com/4448.html

遭黑客袭击 SnapChat客户信息泄露:等您坐沙发呢!

发表评论

7 + 1 =

快捷键:Ctrl+Enter