Snapchat now verifies new users aren’t robots by making them choose its ghost mascot within images. It’s an attempt to keep out hackers who could steal phone numbers by exploiting a leaked database of details on 4.6 million accounts. A 16-year-old hacker proved he could do just that by finding the number of Snapchat CTO Bobby Murphy, but now he says Snapchat has patched the holes he harnessed.
Graham Smith, a high school sophomore from Dallas, Texas has documented his research on Snapchat security. He tells me he began experimenting with Snapchat’s undocumented API over the summer. He built a tool that could determine if a string of numbers was actually a phone number connected to a Snapchat account, similar to the exploit Gibson Security outlined when it detailed Snapchat’s security holes. An independent hacker group then used Gibson’s info to create SnapchatDB, a database of 4.6 million usernames and the first 8 digits of people’s phone numbers.
After getting blasted by the press, Snapchat said it was open to security tips from researchers and patched the hole Smith used by rate limiting accounts to one Find Friends API call per hour. But Smith soon discovered hackers could simply set up a new account for each API call. He reached out to Snapchat about it, and a spokesperson said the company was “willing” to work on the problem.
A few days later, Smith writes he had seen no sign of Snapchat fixing the problem so he used his exploit to find Snapchat CTO Bobby Murphy’s phone number and text him. Smith says Murphy responded telling him to send an email and he’d look into the problem.
A week later Smith found another hole. Snapchat had updated its apps to require new users to verify their phone numbers, but Smith discovered there was no server-side check to see if accounts were actually verified before they used Find Friends, so his past exploit still worked. Murphy acknowledged the lack of a server-side check on January 13th, and by the 17th Snapchat was actively requiring a user’s phone number to be verified for them to use Find Friends — an until-now unreported fix of a serious security flaw.
But Smith wasn’t done yet. He built a script using free SMS service TextFree that could automatically verify new accounts he created, allowing them to use the Find Friends exploit. He predicted Snapchat would have to add a Captcha system to bar bots like his, but a Reddit user noted Captcha answers can be bought online.
So today, I found that Snapchat has added its own proprietary form of Captcha I’m calling “Snap-tcha”. Rather than spell out blurry words, Snapchat’s user flow now has a roadblock explaining “Just making sure you’re not a robot. Select all images containing a ghost.” You then pick from nine images, some with the Snapchat ghost mascot, some with white birds, eggs, hearts, and other shapes that could fool machines. I’ve reached out to Snapchat for confirmation of its new security features.
With the server-checked phone number verification and “find the ghosts” roadblock, it will now be much harder for hackers to use SnapchatDB or other exploits to find usernames or phone numbers and blast them with spam or scams.
Still, Smith has some harsh words for Snapchat that he shared with me over a series of Twitter DMs. “Snapchat is doomed forever as far as security. Even if they fix this once and for all. They have the wrong idea. They don’t work well with outsiders. Overall it was a terrible experience. And I will never work with Snapchat even for a ridiculous sum of money.”
Those certainly sound like the hyperbolic words of an emotional teenager. As a hot tech startup suddenly thrust into the security spotlight, you can bet Snapchat is re-doubling its efforts to protect its service and users. But the improvements like its new Snap-tcha system can’t come fast enough. While its young user base isn’t too risk-averse and growth seems undaunted by the account details leak, Snapchat doesn’t want to find out how many hacks is too many.
Read more : Snapchat Makes You “Find The Ghosts” To Keep Hackers From Stealing Your Phone Number
0 Responses
Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.