It's taking too much time to download each file even they're 40 MB. I wish they put it on as torrent in the first place.
Regarding the leak, yeah, that actually happens when you focus on the product but security and reliability of your system. Snapchat, Whatsapp and many others are hacked numerous times and yet it still happens.
I do not wish they would torrent this. People, think about it. Personal, private phone numbers. Why would you want this information? Seriously the comments here make me sad for humanity right now.
Torrent or not, I want to see if any of my less tech-savvy friends are on the list so I can warn them even though I don't use Snapchat myself. It's much easier to convince them there's a real problem if I can say "Look, I can get your phone number and username from the Internet just like that" rather than explaining theoretical reasons why they're vulnerable.
it's not that - resolving who people are across many services needs lots of fields of info. The more the better the accuracy of the algorithms that find the correlations.
Hmm, I somewhat disagree. Private information is anything you don't want public. By protocol, it isn't strictly private. But a phone number is private/unknown until its known, which is how most of us prefer it.
For example, in implicit social code it is impolite to give away a friend's phone number without asking them first.
The gray area for that is sharing a business phone number of your friend that they share widely through business cards or their website. Though typically it ends up being an email introduction if you really care to connect someone with your friend.
>>The company was too reluctant at patching the exploit until they knew it was too late
Did they give Snapchat enough time to fix this before releasing this data?
NOTE: I've heavily edited this comment because when I first read the website I thought snapchat ignored the people who found an exploit but re-reading, it's no longer clear to me that releasing this data is not pure malice.
NOTE2: The link from couchdive's comment makes this more interesting - http://www.zdnet.com/researchers-publish-snapchat-code-allow... - but still, the webpage hosting the data said the exploit was fixed, so it wasn't ignored, so... I don't know what the purpose of releasing this data was.
Why would you donate to these people? Because they're hurting Snapchat users? What is wrong with the people posting in this thread like this is some kind of good thing? Real people can be hurt by this.
Um, I just want to say that I have _NO IDEA_ why my BTC address is on that list and I've never seen this git URL before in my life. That BTC address is my deposit address on BTC-e.com. This address has only ever received 2.25 BTC[1] and this was purchased fair & square from coinbase.com[2] with my hard-earned USD. I really do not know what in the world is going on or who put my BTC-e.com address on this alleged cryptolocker's known list. I have absolutely nothing to do with that software.
Pardon me while I go to BTC-e.com and have it generate a new address. I don't need to be getting mixed up in this.
I would have found it quite amusing/scary to suddenly see some huge balance on my account. BTC-e.com sends emails for any account activity and I haven't seen anything I didn't cause. Also, BTC-e.com is just too convenient not to use for now. It's the quickest way for me to get litecoin until coinbase.com supports it.
When i first read your post smtddr i got worried we had a collision!
Ive found the quality of blockchain auditing in 2013 highly inaccurate. I recently bring attention to the case recently on reddit where someone 'chased' the SMP thief through a tumbler and found... the 96k wallet allegedly owned by btc-e.
Its a shame if a non published address of yours has been tainted in someones inaccurate blockchain analysis.
w-ll was talking about the original BTC address in my profile being on the known list for cryptolocker. The same address I linked to in my reply to her/him. When you say "we", who are you?
Also, that whole reddit thread about chasing the SMP stolen coins I thought was too hard to actually pull off. For example, I use coinbase to buy BTC, to send to BTC-e.com, to buy Litecoins and ultimately store them in the offline address that's in my HN profile. Can anyone show me the blockchain.info URLs that would prove my actions? If the SMP people changed coin-types, that's how it'd end up on BTC-e.com's wallet. In fact, maybe that same flawed logic is how my BTC-e.com address ended up in that list - capturing addresses that BTC-e.com uses for its customers or internal operations.
This whole incident reminds me of Reddit doxxing. This could have ended up much worse for me. I'm just glad I found out this way instead of the police requesting info from Google about my youtube account and gmail inbox then busting down my door in the middle of the night.
Just to hoist things up thread, all your link boils down to is the software you link using a very inclusive heuristic (something like the size of a transaction with BTC-e).
So this particular 'accusations.txt' doesn't mean very much.
What does snapchatdb hope to accomplish by allowing people to download the db.
Just showing and proving that you've hacked the database should be enough to get the company to respond. They're probably not hurting snapchat as much as the potential damage to the people who's phone numbers and usernames are being dowloaded.
Wasn't there a story posted right here on HN like a week ago where some people notified snapchat of the vuln. and provided evidence, but Snapchat told them to basically f* off?
I'm not savvy enough to have the link at hand but I vividly remember that happening.
Looks like they are using WhoIsGuard to protect the domain whois information. The terms of WhoIsGuard[1] include not violating the privacy of others:
> defame, abuse, harass, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others;
I've sent WhoIsGuard an email. Hopefully they'll revoke service. Shame on the people that published this private information. They aren't hurting just Snapchat. Revealing personal information like this can cause real problems for people.
Hrm... it's New Years Eve and people have taken off early, and I suspect that WhoIsGuard doesn't have round the clock support coverage. Disclaimer: pure speculation, but I think its fair to say the timing was strategic.
Actually in this case the absolute best thing would be for Snapchat, Inc. to go full court press against snapchatdb.info, as what is actually important here is to communicate both the "snapchat security is a lie" message, and "companies which flagrantly suck and then piss on those who report vulnerabilities responsibly will suffer" message, rather than the actual snapchat phone/username db. Streisand will help that more than "go to this site which is really slow and download a huge file which you can't easily use to find your own number or that of your friends" (without a minimum of "how to use a computer" skill).
The website clearly states that the last 2 digits of the phone numbers are censored. You're free to do what you think is right, but in this case you're the one who is trying to get somebody's private information published.
I think if some private parties already have access to the info (people who have already downloaded the DB) then we're all better off having access to the list to see if we are on it or not.
we are kind of the media.. and reddit is too.. I also believe that they made a fatal error by not selling everything for $3bn then jumping aboard. To not have anything to do with the "soon to come security issues". I mean they could have mentioned it and downplay it as they did just recently. I don't think that the new owner would take security more serious than them.
For us it was really really good that he rejected the offer! Because otherwise we would see the trade market crash $3bn, guess who would have to pay loss.. we..
well, if he saw that coming, which I doubt, he would be a hero.
>I don't think that the new owner would take security more serious than them.
I don't know about that. Their dismissal was (at least framed as) "well that's a lot of data, so it's not going to happen!"
Actual excerpt from their blog, on the 27th: "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way."
Unless it's changed recently, the phone number is user-supplied and I'm not sure if it's verified at all. They do claim that the phone number "will be stored as unique mathematical representations (or 'hashes')..." rather than plaintext, but I imagine if you know it's a non-salted phone number that's been hashed, it's pretty easy to brute force. But were they lying about hashing the phone numbers? I guess it doesn't matter if they hashed the phone numbers if they're going to expose an unlimited query API that can be brute-forced like this.
Yes. I signed up in-app today (with a fake phone number) and that's a direct quote from the app.
No idea on the downvotes. I guess because, like I said, telling users you hash the phone numbers doesn't matter if you're using them to search for an unhashed userid. But they're implying to users that their phone numbers are secure because they're hashed, when it really doesn't matter.
For those who haven't noticed that, they are censoring the last two digits of the phone numbers:
> For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.
I would imagine some of the people wanting to download the data are snapchat users who are trying to find out if they (or people they know) have data is in the file. No clue on the distribute part.
>For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.
At least they had the tact to omit the complete phone numbers, but agreeing to release them under certain conditions just seems malicious.
> For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.
Why not just release the usernames and leave out the phone numbers?
Yes, this is strange on all fronts. As far as I know names and land numbers are still published in phone books, and a phone number isn't generally a very interesting bit of information to have. And to the extent this information is sensitive, why be so eager to spread it (beyond being a teenager and getting a thrill)?
1. You can remove your phone number from phone books.
2. Cell numbers aren't published in those books, which this affects.
2. Land lines these days are somewhat separate from our lives. It's relatively easy to ignore. Getting phishing texts (say, faking our banks, since some -- including myself -- have some bank alerts texted to us) to our cellphones could be quite harmful. If you send a million texts pretending to be Chase, and say 50% of the numbers are legit cell phone numbers, and 20% of people have chase accounts, and 0.1% of people fall for the phishing attempt, then you get 1/10,000 people getting phished. That's 100 people out of a million affected monetarily, and 500,000 people getting annoyed by the spam.
Obviously this is back of the envelope, but this is one reason it could matter.
edit: a comment thread below mentions that the bottom two digits are hidden at this moment but will be revealed for interested parties. That really smells like the numbers will be sold to spam/phishing operations.
Cool... Someone else has a database of phone numbers associated with their snapchat usernames, previously assumed to be private, which is what this story is actually about.
The "first" NPA is 201, and from there the first assigned NXXes are 200, 202 and so on. 201-201 is unavailable. (According to the latest LERG update I have.)
Possibly they shouldn't have pissed on the people who notified them of the vulnerability, and on the journalists who broke the story?
(aside from not being vulnerable to this in the first place, but that actually is a lot to ask. I still can't believe anyone relied on the Snapchat model of security more so than any other app, although from an ease of use, non-security perspective, sure, it's reasonable.)
236 comments
[ 4.4 ms ] story [ 248 ms ] threadRegarding the leak, yeah, that actually happens when you focus on the product but security and reliability of your system. Snapchat, Whatsapp and many others are hacked numerous times and yet it still happens.
For example, in implicit social code it is impolite to give away a friend's phone number without asking them first.
http://www.catb.org/jargon/html/H/hacker.html
Perhaps to see if one's own number is among those leaked?
Did they give Snapchat enough time to fix this before releasing this data?
NOTE: I've heavily edited this comment because when I first read the website I thought snapchat ignored the people who found an exploit but re-reading, it's no longer clear to me that releasing this data is not pure malice.
NOTE2: The link from couchdive's comment makes this more interesting - http://www.zdnet.com/researchers-publish-snapchat-code-allow... - but still, the webpage hosting the data said the exploit was fixed, so it wasn't ignored, so... I don't know what the purpose of releasing this data was.
1. https://news.ycombinator.com/user?id=smtddr
2. https://github.com/mikispag/bitiodine/blob/master/classifier...
Pardon me while I go to BTC-e.com and have it generate a new address. I don't need to be getting mixed up in this.
1. https://blockchain.info/address/19ukXViVqQ2pVg63aeTmMNv6TBEZ...
2. http://i.imgur.com/6EKJvX9.png
They have already got $1USD for this. https://blockchain.info/address/1M7rREovDkdEh4mZrYNgcj1FECRk...
When i first read your post smtddr i got worried we had a collision! Ive found the quality of blockchain auditing in 2013 highly inaccurate. I recently bring attention to the case recently on reddit where someone 'chased' the SMP thief through a tumbler and found... the 96k wallet allegedly owned by btc-e. Its a shame if a non published address of yours has been tainted in someones inaccurate blockchain analysis.
Also, that whole reddit thread about chasing the SMP stolen coins I thought was too hard to actually pull off. For example, I use coinbase to buy BTC, to send to BTC-e.com, to buy Litecoins and ultimately store them in the offline address that's in my HN profile. Can anyone show me the blockchain.info URLs that would prove my actions? If the SMP people changed coin-types, that's how it'd end up on BTC-e.com's wallet. In fact, maybe that same flawed logic is how my BTC-e.com address ended up in that list - capturing addresses that BTC-e.com uses for its customers or internal operations.
Based on the page for that tool ( http://miki.it/articles/papers/#bitiodine ), it looks like they would be interested to know of the failure.
This whole incident reminds me of Reddit doxxing. This could have ended up much worse for me. I'm just glad I found out this way instead of the police requesting info from Google about my youtube account and gmail inbox then busting down my door in the middle of the night.
So this particular 'accusations.txt' doesn't mean very much.
I'm not savvy enough to have the link at hand but I vividly remember that happening.
https://news.ycombinator.com/item?id=6962329 (6 days ago)
https://news.ycombinator.com/item?id=6970036 (4 days ago)
> defame, abuse, harass, threaten or otherwise violate the legal rights (such as rights of privacy and publicity) of others;
I've sent WhoIsGuard an email. Hopefully they'll revoke service. Shame on the people that published this private information. They aren't hurting just Snapchat. Revealing personal information like this can cause real problems for people.
[1] http://www.whoisguard.com/legal-tos.asp
That would be Snapchat.
Stop trying to censor stuff that's already out there.
http://en.wikipedia.org/wiki/Streisand_effect
They also say:
> Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.
which is, in my opinion, kind of messed up. (Unless I'm missing a reason why that would be helpful in any way.)
For us it was really really good that he rejected the offer! Because otherwise we would see the trade market crash $3bn, guess who would have to pay loss.. we..
well, if he saw that coming, which I doubt, he would be a hero.
I don't know about that. Their dismissal was (at least framed as) "well that's a lot of data, so it's not going to happen!"
Actual excerpt from their blog, on the 27th: "Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way."
This is kind of a joke.
Did they really claim phone numbers are hashed? If so, why has nobody else touched on this subject?
No idea on the downvotes. I guess because, like I said, telling users you hash the phone numbers doesn't matter if you're using them to search for an unhashed userid. But they're implying to users that their phone numbers are secure because they're hashed, when it really doesn't matter.
> For now, we have censored the last two digits of the phone numbers in order to minimize spam and abuse. Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.
At least they had the tact to omit the complete phone numbers, but agreeing to release them under certain conditions just seems malicious.
Why not just release the usernames and leave out the phone numbers?
SQL: https://mega.co.nz/#!QJklSRJA!WrVeARPvcYgyKI3KENiPu0A6hlRCLf...
2. Cell numbers aren't published in those books, which this affects.
2. Land lines these days are somewhat separate from our lives. It's relatively easy to ignore. Getting phishing texts (say, faking our banks, since some -- including myself -- have some bank alerts texted to us) to our cellphones could be quite harmful. If you send a million texts pretending to be Chase, and say 50% of the numbers are legit cell phone numbers, and 20% of people have chase accounts, and 0.1% of people fall for the phishing attempt, then you get 1/10,000 people getting phished. That's 100 people out of a million affected monetarily, and 500,000 people getting annoyed by the spam.
Obviously this is back of the envelope, but this is one reason it could matter.
edit: a comment thread below mentions that the bottom two digits are hidden at this moment but will be revealed for interested parties. That really smells like the numbers will be sold to spam/phishing operations.
(aside from not being vulnerable to this in the first place, but that actually is a lot to ask. I still can't believe anyone relied on the Snapchat model of security more so than any other app, although from an ease of use, non-security perspective, sure, it's reasonable.)
But it was a matter of time until this happened, the exploit still works with minor modifications, you just have to be smart about it.
The first thing that came to mind was "oh boy, I'll bet this made Zuck's new years eve!"