Poor security still haunts Snapchat
Snapchat’s having a rough month when it comes to safeguarding user privacy, and the hits just keep on coming.
On Wednesday the app well-loved for its disappearing messages rolled out a new security feature designed to keep robots from spamming the service. It seemed simple enough: a captcha system that offers up nine images and requires users to select every image that features the Snapchat ghost icon.
By Wednesday evening, blogger and grad student Steven Hickson had cracked the system wide open with little effort. Hickson, who studies computer vision and robotics, wrote a basic code that enabled his computer to find every ghost in the captcha with 100 percent accuracy, proving Snapchat’s new verification system is little more than smoke and mirrors.
The captcha hack is the latest in a string of security failures Snapchat has faced since the new year began. On Jan. 1, a group of hackers published a database of 4.6 million names and phone numbers exposed by exploiting the Find Friends feature of Snapchat’s API. Snapchat had been warned days prior that such a hack was possible, but whatever measures the company put in place to prevent it clearly didn’t work.
In response to the hack, Snapchat updated the app to let users opt out of linking their names to their phone numbers, which is how friends find each other. Users also had to verify their phone numbers before using the Find Friends feature. But according to TechCrunch, Snapchat wasn’t actually verifying that your phone number matched your name on its end, so that update was pointless. Users also saw an increase in spam, which Snapchat said was unrelated to the Find Friends exploit.
The captcha patch was designed to prevent that spam, but clearly Snapchat is struggling to plug the holes in its security system. Its original suggestion: “Adjust your settings to determine who can send you snaps. We recommend ‘Only My Friends.’”
But that solution might not be good enough, especially if user information is still open to exploitation.