- How to stream Barcelona vs. Slavia Praha in the Champions League Today 2:00 AM
- How to stream Chelsea vs. Ajax in the Champions League Today 1:00 AM
- People are using #WheresLindsey to criticize Graham over Trump ‘lynching’ defense Tuesday 8:22 PM
- 2 Proud Boys sentenced to 4 years in prison for attacking antifa protesters Tuesday 7:20 PM
- Paul Joseph Watson is very upset by bartender serving beer with her butt Tuesday 6:24 PM
- Twitter developing a policy to combat deepfakes Tuesday 5:28 PM
- The Nate Diaz vs. Jorge Masvidal bout at UFC 244 is perfect for NYC and its fight mecca Tuesday 5:27 PM
- Alexis Bledel named most dangerous online celebrity Tuesday 5:02 PM
- Kylie Jenner trademarks ‘rise and shine’ after meme success Tuesday 4:50 PM
- ‘Watchmen’ website expands what you know about its alt-history Tuesday 4:31 PM
- Smoke ’em, pass ’em Week 8: Mark Walton szn Tuesday 4:26 PM
- Venmo’s first-ever credit card to launch in 2020 Tuesday 3:46 PM
- Wet Kylo Ren may turn everyone to the dark side Tuesday 3:15 PM
- Man allegedly targeted trans women on dating app, robbed them at knifepoint Tuesday 3:02 PM
- Researchers expose how Amazon Echo and Google Home can steal passwords Tuesday 2:47 PM
Surprise: Snapchat’s new Snaptcha security feature has already been hacked
Well, that was fast. But not surprising.
Even though Snapchat’s team was apparently terrible to work with, according to the 16-year-old hacker who pointed out the security hole that needing fixing, it still seemed like a step in the right direction when it came to Snapchat patching weak spots in a timely manner.
But apparently Snapchat is both still unapologetically dismissive of white hat hackers and really bad at fixing security holes, because a man named Steve Hickson has already hacked Snaptcha with 100 lines of simple, template-matching code.
Hickson described the process in his blog.
With very little effort, my code was able to “find the ghost” in the above example with 100 percent accuracy. I’m not saying it is perfect, far from it. I’m just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It’s a numbers game with computers and Snapchat’s verification system is losing.
Mark it down as another misstep for Snapchat. It’s just the latest in several major stumbles. First, even after a gigantic security breach that leaked 4.6 million users’ information, Snapchat was vague about what it would do in the future to bolster security, and didn’t bother acknowledging Gibson Security, the hacker team who tried to alert the app to the flaw that eventually caused the leak. If the team was smart, they’d have tried to hire the hackers, not ignore them. Or at least publicize their good deed in pointing out the huge hole.
Then, Snapchat’s native security team didn’t notice several substantial security gaps. Instead, Graham Smith, the high-school hacker from the previously mentioned Snaptcha story, had to point them out. And Snapchat apparently hasn’t learned its lesson, because the team didn’t treat Smith well. “I never felt like they took my suggestions under consideration,” he told me via email.
Smith explained how he reported the security issues he found to Snapchat’s newly created [email protected] email address, and how his initial communications with the company were frustratingly slow. He said that he had an interview with Bobby Murphy, and that it went better than his interactions with other security staff. But ultimately, Smith remains perturbed by the company’s approach.
Hickson isn’t the only person who has cracked Snaptcha; Smith also figured out how to work-around Snapchat’s flimsy security solution, though he hasn’t published the details:
I successfully finished my SNAPTCHA “liberation” script today.
— Graham Smith (@neuegram) January 22, 2014
Thus, Snapchat’s big go at creating a security function, has swiftly failed.
At this point I’m wondering if Snapchat’s native security team is, like, a rag-tag group of Evan Spiegel’s imaginary friends. It’s disappointing from a company Facebook offered to buy for $3 billion; wouldn’t you expect better?
Smith agrees. He told me via email that his comment to TechCrunch’s Josh Constantine saying that the company is “doomed” wasn’t entirely accurate. “Out of context, that means the entire company. I meant their security if, and only if, they continue with how they treat security. Their product is based off of security and privacy, yet they don’t value it. The prefer an illusion of security, security by obscurity if you will,” Smith wrote.
In other words, Snapchat: get a better security team or your entire illusion of protected intimacy will be as unsubstantiated as a ghost.
Photo via USA Today
Kate Knibbs is a notable tech reporter and pop culture essayist. A former staff writer for the Daily Dot, her work has appeared in Gizmodo, the Ringer, AV Club, Digital Trends, Popular Mechanics, and Time.