snapchat-iconEverywhere you turned in 2013 Snapchat was in the news. The app that allows users to send “self destructing” images and messages to each other, reportedly refused a buyout at $3 billion dollars. Immediately following that the company made headlines again by raising a $50 million dollar series C round from a single investor, Coatue Management. That investment brought the total amount raised for Snapchat to $123 million.

They’re also entailed in a legal brew-ha-ha with Reggie Brown, a fraternity brother and former friend of SnapChat founders Evan Spiegel and Bobby Murphy. Brown claims that he is one of the founders of SnapChat and was underhandedly written out of the company by Spiegel and Murphy.

While it’s been a bumpy ride for SnapChat, and for the most part most of the bumps have been up, most of that financial news doesn’t affect Snapchat’s 30 million active users which are accounting for over 400 million snaps sent per day.

But this news might….

Technobuffalo reported late last week, on information from ZDNet and Gibson Security, that Snapchat’s privacy features may not be so private after all. The problem with this of course, is that SnapChat is based on total privacy.

ZDNet reports that Gibson Security repeatedly warned Snapchat about an exploit that would easily allow “mass matching of phone numbers with names and mass creation of bogus accounts”. Yes if phone numbers get matched the anonymity goes away.  After their security report and warnings went ignored since August last week Gibson Security published the report including “Snapchat’s previously undocumented developer hooks (APIs)and code for two exploits.

ZDNet goes on to say that “Snapchat names, aliases and phone numbers can be discovered and harvested via the Snapchat Android and iOS API even if the user’s account is private.” Definitely not something anyone wants to hear about an app that provides a cloak of privacy.

Gibson Security told ZDNet via email:  “People could operate a service similar to ssndob.cc (see here), where you could pay a few dollars and obtain the phone number and social media profiles of a person, just by their username.”  But they added something that could perhaps be more alarming “”You could find someone’s phone number in minutes provided you know the general area they live in,”

While most social network and photo sharing apps thrive off of a “find friends” feature, which allows you to scan your phonebook for friends using the service, the opposite is true for Snapchat. If you want a user to Snapchat you, you need to give them that information it’s all part of the anonymity in the app. However ZDNet details a “Find Friends” and “Bulk Registration” exploit here. With the Find Friends exploit you could get a 1:1 match between phone number and Snapchat user. Now that secret admirer sending you inappropriate photos could easily be found out.

The Gibson Security report doesn’t online outline these critical flaws in the Snapchat app but they go onto say these exploits could easily be fixed with 10 lines of code. And if that’s not enough the firm also says that Snapchat has lied to the media and investors about their user base being 70% female.

Gibson Security chose Christmas week to release all of this data because they, and others in the hacker community, are sick of the company ignoring their concerns, which ultimately could hurt there user base.

More here at ZDNet and TechnoBuffalo