A new study suggests the popular smartphone app SnapChat is vulnerable to hackers looking for phone numbers attached to user accounts.

The study, published by Gibson Security, found a flaw in the photo messaging app's application programming interface (API) called "find_friends." The flaw could allow a hacker to search through a large number of phone numbers and match certain ones with their corresponding SnapChat account.

PC World reported that Gibson first reported the API vulnerability in August. The API opens lines of communication between SnapChat's clients and servers. Gibson re-released its study Dec. 25 because they said the app's makers did not fix the problem when it was originally brought up.

"We did some back-of-the-envelope calculations based on some number crunching we did (on an unused range of numbers)," the researchers said, according to PC World. "We were able to crunch through 10 thousand phone numbers (an entire sub-range in the American number format (XXX) YYY-ZZZZ - we did the Z's - in approximately 7 minutes on a gigabyte line on a virtual server."

SnapChat is a photo messaging service that allows users to send videos, drawings and photos to fellow users. However, a user can set a specific time limit of a few seconds for the message to automatically delete itself.

One of the app's weaknesses is a Python script perform repeated searches through a set of phone numbers and return names and SnapChat accounts associated with those numbers. The study estimated a hacker could obtain 5,000 phone numbers in a minute this way.

"In an entire month, you could crunch through as many as 292 million numbers with a single server," they said. "Add more servers (or otherwise increase your number crunching capabilities) and you can get through a seemingly infinite amount of numbers. It's unlikely Snapchat's end would ever be the bottleneck in this, seeing as it's run on Google App Engine, which (as we all know) is an absolute tank when it comes to handling load."

Another weakness was with the app's less-than-thorough registration process. Gibson said hackers can create a plethora of fake accounts at a time through the API using a separate script.