Even though Snapchat’s team was apparently terrible to work with, according to the 16-year-old hacker who pointed out the security hole that needing fixing, it still seemed like a step in the right direction when it came to Snapchat patching weak spots in a timely manner.
But apparently Snapchat is both still unapologetically dismissive of white hat hackers and really bad at fixing security holes, because a man named Steve Hickson has already hacked Snaptcha with 100 lines of simple, template-matching code.
Hickson described the process in his blog.
With very little effort, my code was able to "find the ghost" in the above example with 100 percent accuracy. I'm not saying it is perfect, far from it. I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing.
Mark it down as another misstep for Snapchat. It’s just the latest in several major stumbles. First, even after a gigantic security breach that leaked 4.6 million users’ information, Snapchat was vague about what it would do in the future to bolster security, and didn’t bother acknowledging Gibson Security, the hacker team who tried to alert the app to the flaw that eventually caused the leak. If the team was smart, they’d have tried to hire the hackers, not ignore them. Or at least publicize their good deed in pointing out the huge hole.
Then, Snapchat’s native security team didn’t notice several substantial security gaps. Instead, Graham Smith, the high-school hacker from the previously mentioned Snaptcha story, had to point them out. And Snapchat apparently hasn’t learned its lesson, because the team didn’t treat Smith well. “I never felt like they took my suggestions under consideration,” he told me via email.
Smith explained how he reported the security issues he found to Snapchat’s newly created security@snapchat email address, and how his initial communications with the company were frustratingly slow. He said that he had an interview with Bobby Murphy, and that it went better than his interactions with other security staff. But ultimately, Smith remains perturbed by the company’s approach.
Hickson isn’t the only person who has cracked Snaptcha; Smith also figured out how to work-around Snapchat’s flimsy security solution, though he hasn’t published the details:
I successfully finished my SNAPTCHA "liberation" script today.— Graham Smith (@neuegram) January 22, 2014
Thus, Snapchat’s big go at creating a security function, has swiftly failed.
At this point I’m wondering if Snapchat’s native security team is, like, a rag-tag group of Evan Spiegel’s imaginary friends. It’s disappointing from a company Facebook offered to buy for $3 billion; wouldn’t you expect better?
Smith agrees. He told me via email that his comment to TechCrunch’s Josh Constantine saying that the company is “doomed” wasn’t entirely accurate. “Out of context, that means the entire company. I meant their security if, and only if, they continue with how they treat security. Their product is based off of security and privacy, yet they don't value it. The prefer an illusion of security, security by obscurity if you will,” Smith wrote.
In other words, Snapchat: get a better security team or your entire illusion of protected intimacy will be as unsubstantiated as a ghost.
Photo via USA Today