The hits just keep coming for picture-sharing giant Snapchat. After nearly a month of security trouble, the company put a new safeguard in place last week to keep out spam accounts trolling for user data. After registering, new users are prompted to select images containing Snapchat’s ghost mascot — a twist on a traditional CAPTCHA. Choose the images with ghosts, and you’re good to go. Otherwise, registration is denied. Good in theory, right? It didn’t last long, though. Steven Hickson, a security researcher, spent about 30 minutes and wrote less than 100 lines of code that “with very little effort … was able to ‘find the ghost’ in the above example with 100% accuracy.” You can read his article here. Hickson called the strategy “an incredibly bad way” to identify real users from data-trolling bots because the puzzle is so easy to solve. He says his solution isn’t perfect, but “if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong.” A Snapchat spokeswoman told the Washington Post the company is making significant progress in securing the social media network. “For security reasons, we cannot provide detailed information on security countermeasures,” she said.
Let’s back up
The trouble started as we rang in 2014, when a hacker group posted the usernames and corresponding phone numbers of more than 4.5 million users onto SnapchatDB.info. (The site has since been taken down.) The hack came after Snapchat recognized a security vulnerability on its blog — a vulnerability Gibson Security identified last August.<sup5< sup=”"></sup5<> “Theoretically, if someone were able to upload a huge set of phone numbers, like every number in an area code, or every possible number in the U.S., they could create a database of the results and match usernames to phone numbers that way,” Snapchat’s post reads. “Over the past year we’ve implemented various safeguards to make it more difficult to do.” Not quite. Usernames and phone numbers were posted just days later. The last two digits of each number were censored “in order to minimize spam and abuse,” according to the site’s creators. “Feel free to contact us to ask for the uncensored database. Under certain circumstances, we may agree to release it.” The site suggested using the phone numbers in the database to find Facebook and Twitter accounts or just “figure out the phone numbers of people you wish to get in touch with.” Hackers said Snapchat “was too reluctant at patching the exploit until they knew it was too late and companies that we trust with our information should be more careful when dealing with it.”
Trying to patch things up
Following the data leak, Snapchat released iOS and Android app updates requiring new users to verify their numbers before using the Find Friends feature, which opens up access to user information. The updates also allowed users the option not to link their phone number and username.
What about me?
If you’re late to the party and not sure whether your information was leaked, visit SNAPCHECK, developed by data scientist and software developer Vik Paruchuri, or GS Lookup – Snapchat, put together by Gibson Security.
What’s the big deal?
For most smartphone users, signing up to use new apps — and entering personal information — has become second nature. This is especially true for apps, like Snapchat, with a young audience. A leaked username and phone number may not sound like the end of the world, but it could be more trouble than it seems. Many people use the same username, email address and password for a host of websites and apps, meaning a leak in one place opens up many doors. If you were one of the unlucky 4.6 million, change your password (doing this regularly across sites and apps you use is good practice), update your apps for the latest security fixes and keep an eye out for phishing scams sent via bogus text messages.
