The resulting data could be sold, or used for scamming and stalking.
Exploits of Snapchat’s API allow for a script to associate phone numbers with Snapchat users’ display names, user names, and account privacy level, according to a report from ZDNet citing a collective called Gibson Security. Users of the exploit could take that data and resell it for cash, as well as scam or stalk the Snapchat accounts they’ve identified.
Gibson Security claims it’s known about this exploit, as well as one that would let a hacker bulk-register thousands of accounts on the service, since August. Snapchat failed to acknowledge Gibson Security’s attempts to contact it about these exploits, Gibson Security writes, so it published the API and exploits on Tuesday.
The phone numbers and names can be connected even if the Snapchat user’s account is set to private. The information could be scraped together into a database like that of ssndob.cc, according to ZDNet, which allows site-goers to “pay a few dollars and obtain the phone number and social media profiles of a person, just by their username.”
Gibson Security claims that Snapchat could have at least fixed the bulk register exploit with a handful of lines of code, but has neglected to do so. Meanwhile, Snapchat recently announced a new rate-limited feature that allows users to view one time-limited snap a second time each day. Snapchat has not commented on this yet.
Source: ARS Technica.