Snapchat Falters on Security Again, Experts Say
Snapchat has demonstrated again its lack of understanding in building strong security to protect users of its popular mobile app for sharing photos.
Mon, January 27, 2014
CSO — Snapchat has demonstrated again its lack of understanding in building strong security to protect users of its popular mobile app for sharing photos.
The company introduced last week a CAPTCHA verification method for checking whether a new subscriber is human or a computer program. Cybercriminals will use the latter to set up fake accounts in order to distribute spam or to find ways to steal the personal information of users of the service.
CAPTCHA methods can help reduce the number of fake accounts, but Snapchat's implementation was easily hacked by Steven Hickson, a graduate research assistant at the Georgia Institute of Technology.
In fact, Snapchat's CAPTCHA was so weak, Hickson spent less than an hour building a computer program that could fool the mobile app maker's system with "100 percent accuracy."
"They're a very, very new company and I think they're just lacking the personnel to do this kind of thing," Hickson told CSOonline Monday.
To ensure the would-be user is human, the Snapchat system asks the registrant to choose out of nine illustrations the ones containing Snapchat's white ghost mascot. The problem with the system is that the mascot image varies only in size and angle, making it easy for a computer to find.
To avoid hacking a CAPTCHA system, "you want something that has a lot of variety in the answer," Hickson said. "Basically, one right answer, but a very, very large amount of wrong answers. You want something that's very, very hard for a computer to solve."
Hickson provides the technical details of the hack on his blog. In general, he used Intel's Open Source Computer Vision Library (OpenCV) and a couple of other supporting technologies, to build the program capable of identifying the Snapchat mascot in the illustrations. OpenCV is a library of programming functions that are aimed at giving computers the ability to identify images.
Zach Lanier, senior security researcher for mobile authentication specialist Duo Security, said Hickson's CAPTCHA bypass is "totally legitimate."
"In my opinion, if Snapchat is really concerned about improving security, they should take some lessons from Hickson's findings," Lanier said.
Chris Grayson, senior security analyst for consultancy Bishop Fox, agreed, saying "the CAPTCHA mechanism that they implemented is decidedly weak, as demonstrated by Steven Hicksons proof-of-concept, and offers little additional security to Snapchat users."
Snapchat did not respond to a request for comment.
Mobile app developers have become notoriously weak in building adequate security to protect users' personal information. Recent studies have shown serious weaknesses in data protection in mobile apps built by small vendors, as well as airlines, retail outlets, entertainment companies, insurance companies and financial institutions.