In its frenzy of rapid growth and expansion, Snapchat has left some fairly gaping holes in its service. Right at the end of last year Snapchat was hacked, 4.6 million accounts were compromised and a list of partially redacted phone numbers was released. Snapchat has since tried to fix that problem, but with each fix and new feature comes workarounds and exploits.
The latest solution was a recaptcha style human verification test people took to calling a “Snap-tcha.” The user is asked to select from a group of images and click the one that contains Snapchat’s ghost mascot to prove that they’re not a robot. Too bad one user was able to crack the system in less than an hour.
Steven Hickson, a blogger and computer engineering graduate wrote less than 100 lines of code and was able to circumvent the human part of the verification. He acknowledges it wasn’t even hard, and says that the verification system is so weak he could afford to be lazy about it.
“With very little effort, my code was able to ‘find the ghost’…with 100 percent accuracy,” he writes on his blog. “If it takes someone less than an hour to train a computer to break an example of your human verification system you are doing something wrong.”
The Snap-tcha ghost finding system was implemented in the wake of a revelation that the vulnerability that led to the release of the phone numbers wasn’t closed effectively. Sixteen year old hacker Graham Smith found that serious vulnerabilities still existed. He told Snapchat about the problem and offered his help.
A week later he had no response from Snapchat, so he looked again and found that nothing had been done. So Smith used the loophole to find the phone number of Snapchat’s CTO Bobby Murphy and sent him a text message. In response, he was told to email the company again about the problem. But that wasn’t the end of it.
After yet another fix, Smith found another vulnerability; there was no server-side account verification before using the “find friends” feature. Anyone with the leaked phone numbers could get data, or possibly spam the users exposed during the December hack.
It’s becoming clear that Snapchat does not have strong security protocols. The fixes it tried to implement are half-hearted at best, and completely pointless at worst. Snapchat has more security holes than a chain link fence. And they’ve left the gate open. All that’s left to do is put a big “Nobody home” sign on the front door.
Image credit: ryan.nagelmann