Snapchat Makes You “Find The Ghosts” To Keep Hackers From Stealing Your Phone Number [Update: But It Fails]

Snapchat now verifies new users aren’t robots by making them choose its ghost mascot within images. It’s an attempt to keep out hackers who could steal phone numbers by exploiting a leaked database of details on 4.6 million accounts. a 16-year-old hacker proved he could do just that by finding the number of Snapchat CTO Bobby Murphy, but now he says Snapchat has patched the holes he harnessed. [Update: But the “Snap-tcha” solution doesn’t seem very secure as another hacker built a workaround in under an hour.]

Graham Smith, a high school sophomore from Dallas, Texas has documented his research on Snapchat security. He tells me he began experimenting with Snapchat’s undocumented API over the summer. He built a tool that could determine if a string of numbers was actually a phone number connected to a Snapchat account, similar to the exploit Gibson Security outlined when it detailed Snapchat’s security holes. An independent hacker group then used Snapchat’s Find Friends feature to create SnapchatDB, a database of 4.6 million usernames and the first 8 digits of people’s phone numbers.

Screen Shot 2014-01-21 at 7.46.27 PM

After getting blasted by the press, Snapchat said it was open to security tips from researchers and patched the hole Smith used by rate limiting accounts to one Find Friends API call per hour. But Smith soon discovered hackers could simply set up a new account for each API call. He reached out to Snapchat about it, and a spokesperson said the company was “willing” to work on the problem.

A few days later, Smith writes he had seen no sign of Snapchat fixing the problem so he used his exploit to find Snapchat CTO Bobby Murphy’s phone number and text him. Smith says Murphy responded telling him to send an email and he’d look into the problem.

Screen Shot 2014-01-21 at 8.08.14 PMA week later Smith found another hole. Snapchat had updated its apps to require new users to verify their phone numbers, but Smith discovered there was no server-side check to see if accounts were actually verified before they used Find Friends, so his past exploit still worked. Murphy acknowledged the lack of a server-side check on January 13th, and by the 17th Snapchat was actively requiring a user’s phone number to be verified for them to use Find Friends — an until-now unreported fix of a serious security flaw.

But Smith wasn’t done yet. He built a script using free SMS service TextFree that could automatically verify new accounts he created, allowing them to use the Find Friends exploit. He predicted Snapchat would have to add a Captcha system to bar bots like his, but a Reddit user noted Captcha answers can be bought online.

Snap-tchaSo today, I found that Snapchat has added its own proprietary form of Captcha I’m calling “Snap-tcha”. Rather than spell out blurry words, Snapchat’s user flow now has a roadblock explaining “Just making sure you’re not a robot. Select all images containing a ghost.” You then pick from nine images, some with the Snapchat ghost mascot, some with white birds, eggs, hearts, and other shapes that could fool machines. Though sufficiently advanced machine vision or object recognition algorithms might be able to beat the Snap-tchas, so they may be more of a stopgap solution. At least the puzzle is easy to solve and fits Snapchat’s brand so it shouldn’t be too annoying to users.

[Update 8pm PST: Snapchat has confirmed the new security features to me and provided this statement:
“We appreciate the efforts of those who help identify vulnerabilities in our service and we continue to make significant progress in our efforts to secure Snapchat.”]

With the server-checked phone number verification and “find the ghosts” roadblock, it will now be harder for hackers to use SnapchatDB or other exploits to find usernames or phone numbers and blast them with spam or scams.

[Update 1/22, 12:45pm PST: The “Snap-tcha” system is being called a joke by security researchers, and one hacker named Steven Hickson says he’s already built a way to bypass it. Because the Snapchat ghost mascot is consistent shape, Hickson was able to use a combination of OpenCV, SURF, and FLANN to build a script that can automatically identify the ghost as shown below. Hopefully for users, the Snap-tcha system was only meant as a temporary solution and an improved or different security feature will be implemented soon.]


Still, Smith has some harsh words for Snapchat that he shared with me over a series of Twitter DMs. “Snapchat is doomed forever as far as security. Even if they fix this once and for all. They have the wrong idea. They don’t work well with outsiders. Overall it was a terrible experience. And I will never work with Snapchat even for a ridiculous sum of money.”

Those certainly sound like the hyperbolic words of an emotional teenager. As a hot tech startup suddenly thrust into the security spotlight, you can bet Snapchat is re-doubling its efforts to protect its service and users. But the improvements like its new Snap-tcha system can’t come fast enough. While its young user base isn’t too risk-averse and growth seems undaunted by the account details leak, Snapchat doesn’t want to find out how many hacks is too many.