In an effort to protect the phone numbers of its 4.6 million users, Snapchat has implemented a unique captcha program to verify that users are indeed humans, and not robots that are part of a plan to steal phone numbers, photos and other private information. This change came after a high-school-aged hacker pointed out how easy it was for him to leak the account database by simply finding the phone number of Snapchat's chief technical officer.
The leak originated from Snapchat's Find Friends API feature, which the hacker exploited to make a tool that determined if random strings of numbers were in fact connected to a Snapchat account. Eventually, this method became precise enough to verify the first eight digits of any user's phone number.
To solve the issue, Snaptchat's captcha program asks users to pick from a selection of images the ones which had a picture of snapchat's mascot, a cute looking ghost. Several previous attempts to seal the leak, such as limiting the rate at which accounts could use the API feature or asking users to verify their accounts, proved ineffectual at solving the problem.
The ghost captcha is designed to ask users to occasionally ask them to point out which pictures contain the Snapchat ghost, as opposed to pictures of white flowers, eggs and trees which could easily fool a robot. This was seen as an excellent move at first, since robots would have a hard time identifying the images while human operators should have no difficulty doing the same.
Unfortunately, security researchers are calling the feature a joke, with some even managing to create programming scripts that automatically recognize the shape of the ghost. Even more telling is that this script was developed in under an hour. So far, it appears that this security measure has been “ghostbusted.”
The big takeaway from all of this is that hackers have more tools than ever to bypass common security measures. The fact that a mere teenager pointed out these flaws shows that these tools are available to practically anyone, and that cyber attacks will only increase in both frequency and aggression. Regardless, Snapchat is doing their best to solve these issues, and is quick to thank white-hat hackers for pointing out the problem instead of exploiting it.
Edited by Alisen Downey