Snapchat's Latest Security Feature Defeated in 30 Minutes

Snapchat has had a torrid time regarding security over the last year
Snapchat has had a torrid time regarding security over the last year

Snapchat has had a torrid time over the last year. First it was revealed that deleted snaps aren't actually deleted, then it suffered a rising and continuing spam problem, and finally it dismissed warnings from GibsonSec about an API security issue only to lose 4.6 million user email addresses and phone numbers just a few days later. The entire database was posted on the internet, minus the last two digits of the phone number. The result, according to uSwitch: "In an informal poll of 238 people, 165 (69%) said they will not be using Snapchat again as a result of the breach."

Since then a Dallas school sophomore, Graham Smith, demonstrated that the lack of the last two digits was no real problem, and found the phone number of Snapchat CTO Bobby Murphy. "After getting blasted by the press, Snapchat said it was open to security tips from researchers and patched the hole Smith used by rate limiting accounts to one Find Friends API call per hour," reports TechCrunch. "But Smith soon discovered hackers could simply set up a new account for each API call."

Fighting back, Snapchat yesterday launched a new captcha feature for new users. This should prevent users setting up a new account for each API call. "After registering with an e-mail address, password, and birth date, you're presented with a set of nine tiles, some with Snapchat's familiar ghost mascot and some without," explained CNET. 

"Your challenge is to tap on the images with the ghosts. Do it successfully, and you gain entry. Otherwise, Snapchat denies your request and prompts you to keep trying."

The purpose, as with all 'captchas,' is to differentiate between human users and the bots that automatically generate large numbers of false accounts to engage in spam. The principle is good. "But how long will it take an enterprising hacker to find a way past this latest security measure?", concludes the CNET report.

Not long. In fact, just a couple of hours. "I woke up this morning and saw [the CNET] article detailing Snapchat's new people verification system," blogged Steven Hickson. He was not impressed. "The problem with this is that the Snapchat ghost is very particular. You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision."

He then proceeded to demonstrate the ease of template matching by writing a short routine of 100 lines of code that automatically finds which images include the ghost. "With very little effort, my code was able to 'find the ghost' in the above example with 100% accuracy. I'm not saying it is perfect, far from it. I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong." Hickson has now posted his code on github.

How users will react to this latest security failing remains to be seen. CNET asked Snapchat for a response, but has not yet received one. uSwitch, however, is scathing. "This all represents a major slip up for Evan Spiegel, the 23-year-old behind Snapchat. Just four months ago he turned down billions from Facebook for his growing app. Now he’s facing the very real possibility of his platform failing due to weak security measures."

What’s Hot on Infosecurity Magazine?