Snapchat Uses Ghosts to Verify Users' Humanity
In the wake of hacks that resulted in leaked phone numbers and dummy account exploits, it's not a great time to be a Snapchat user.
In order to ensure that people who sign up for Snapchat are actual human beings, the mobile photo-messaging service has added a verification system that asks users to identify pictures of ghosts. It's not as scary as it sounds, but the measure may be too little, too late.
On Jan. 2, hackers exploited a known Snapchat vulnerability and released a comprehensive database of 4.6 million Snapchat usernames and associated phone numbers. Following that privacy breach, Snapchat solicited outside help in addressing future security issues, and teenage security expert Graham Smith stepped in.
When new users register Snapchat accounts, they must enter their phone numbers. After doing so, they have the option to opt out of the Find Friends feature, which allowed the 4.6 million usernames to get leaked in the first place.
However, Smith discovered that Snapchat never subjected the phone numbers of new account holders to server-side validation. That meant "bots," or computer scripts, could sign up for Snapchat accounts en masse with fake phone numbers — and dummy accounts can still be leveraged to harvest real Snapchat users' usernames and numbers.
In effect, any Snapchat user — even ones whose accounts have not yet been validated — could have his or her number stolen through a simple security flaw. Worse still, because the program requires a phone number before users can opt out of Find Friends, every user's phone number is at least temporarily available to an industrious hacker.
To test this vulnerability, Smith searched the leaked database for Bobby Murphy, the co-founder of Snapchat. Using the validation vulnerability, Smith confirmed Murphy's phone number and texted him to discuss the issue.
Over the next few weeks, Smith worked alongside Snapchat to implement server-side validation and other fixes, but found the Snapchat staff to be obstinate and unwilling to make his recommended changes. Frustrated, he washed his hands of the issue and let Snapchat handle the rest.
"Snapchat is doomed forever, as far as security," Smith told TechCrunch. "They don't work well with outsiders. ... I will never work with Snapchat, even for a ridiculous sum of money."
On Jan. 21, Snapchat rolled out a new update without Smith's help. In addition to server-side phone number validations, it added a visual element for account verification. When entering their phone numbers, incoming Snapchatters now need to view nine images and select all of them that contain a ghost (instead of a bird, a heart, an egg or a tree).
Given Snapchat's poor record when it comes to privacy, it's unlikely that a visual CAPTCHA will be the end of the company's security woes.
Still, Snapchat is much more secure now than it was at the beginning of January. With any luck, it won't take another enormous breach for Snapchat to implement even tighter protocols.