[gibsonsecurity]

Hi, I'm one of the authors of the above release [1], and the exploit we primarily talked about (find_friends) isn't really an issue with the protocol as a whole.

We understand the need to support legacy clients, but Snapchat could easily limit the damage this exploit could do.

It wouldn't be that hard for them to make the best of what they have, by auditing all the code that typically has these exploits, and from that point onwards, also auditing riskier areas in the code base periodically.

But yeah, we have seen an improvement in some of the Snapchat client code, which indicates there are probably some bright new developers that have just joined the team. We just find it pretty bad that in this time, we haven't seen attempts (on our end, server side may be different) to secure the protocol.

Also regarding communication, we haven't heard a word from Snapchat in 4 months, neither has the reporter of this story, Violet Blue. If any of the guys from Snapchat are reading this (or you can pass on a message), tell them they're free to message us at security@gibsonsec.org.

We're pretty easy to contact. [1]: http://gibsonsec.org/snapchat/fulldisclosure/

*

Just saw your edit, the purpose of this release wasn't to tell everyone we're the nth person to reverse engineer Snapchats protocol, but rather to bring attention to the particular vulnerabilities.

I can speak for the rest of our team, and we're pretty sick of Snapchats protocol, and this will most likely be our last release regarding it.

(Also I noticed newlines broke, kinda fixed that)

[antics]

Yeah, I agree with pretty much everything you said. I too think they could do a lot of things better. Yes, they've been really really slow to fix known issues. I did not mean to denigrate your work, which seems solid. :)

I'm just saying, 9 months down the road, if they had the optimal version of their security protocol, someone could still break in and write a post that "audits" it, just like we get every couple of months on the HN frontpage. Everyone would laugh, again. Some people would know that it's as good as it gets, but most people would just be in it for the circle jerk. There's no win for them here. That's all I'm saying.

*

Also, seeing your edit responding to my edit, sorry, I sometimes post before I work everything out perfectly. This isn't really an indictment of you guys specifically. I think your work is great.

[gibsonsecurity]

Thanks, and that's totally fine. I agree with you, Snapchats definitely flawed from the start, but as long as we get rid of gaping holes in their security such as the find_friends exploit, at least they're halfway there.

(OT, but you have a really cool project list btw :P)

[eps]

Offtopic - your name is confusing. I assumed you were Steve Gibson's spin-off into security, which is a poor association to have as he is widely considered an amateur in security matters. Very vocal and assertive, but an amateur nonetheless.

http://grc.com

[gibsonsecurity]

I'm quite the fan of Steve Gibson, infact I use grsec on my boxes, sadly we only noticed this after our initial release, when it really was too late.

If Steve Gibson hears of this, or reads this, my apologies, this was not intended.

(also this was a reference to the movie Hackers, which in turn a reference to William Gibson)

[neeee]

Steve Gibson and Gibson Research Corporation are not affiliated with the grsec guys. This is quite confusing.

[gibsonsecurity]

He isn't?

Sorry that really is a mistake on my part. I thought I saw his name attached to it. I'm probably thinking of someone else, again I apologize to all parties involved.