Snapchat falters on security again, experts say

Company introduces CAPTCHA verification, criminals likely to exploit it for nefarious reasons

mobile forensics

Snapchat has demonstrated again its lack of understanding in building strong security to protect users of its popular mobile app for sharing photos.

[Snapchat says sorry for the hack with a tweak to its app]

The company introduced last week a CAPTCHA verification method for checking whether a new subscriber is human or a computer program. Cybercriminals will use the latter to set up fake accounts in order to distribute spam or to find ways to steal the personal information of users of the service.

CAPTCHA methods can help reduce the number of fake accounts, but Snapchat's implementation was easily hacked by Steven Hickson, a graduate research assistant at the Georgia Institute of Technology.

In fact, Snapchat's CAPTCHA was so weak, Hickson spent less than an hour building a computer program that could fool the mobile app maker's system with "100 percent accuracy."

"They're a very, very new company and I think they're just lacking the personnel to do this kind of thing," Hickson told CSOonline Monday.

To ensure the would-be user is human, the Snapchat system asks the registrant to choose out of nine illustrations the ones containing Snapchat's white ghost mascot. The problem with the system is that the mascot image varies only in size and angle, making it easy for a computer to find.

To avoid hacking a CAPTCHA system, "you want something that has a lot of variety in the answer," Hickson said. "Basically, one right answer, but a very, very large amount of wrong answers. You want something that's very, very hard for a computer to solve."

Hickson provides the technical details of the hack on his blog. In general, he used Intel's Open Source Computer Vision Library (OpenCV) and a couple of other supporting technologies, to build the program capable of identifying the Snapchat mascot in the illustrations. OpenCV is a library of programming functions that are aimed at giving computers the ability to identify images.

Zach Lanier, senior security researcher for mobile authentication specialist Duo Security, said Hickson's CAPTCHA bypass is "totally legitimate."

"In my opinion, if Snapchat is really concerned about improving security, they should take some lessons from Hickson's findings," Lanier said.

Chris Grayson, senior security analyst for consultancy Bishop Fox, agreed, saying "the CAPTCHA mechanism that they implemented is decidedly weak, as demonstrated by Steven Hicksons proof-of-concept, and offers little additional security to Snapchat users."

Snapchat did not respond to a request for comment.

[Snapchat breach seen as startup growing pains]

Mobile app developers have become notoriously weak in building adequate security to protect users' personal information. Recent studies have shown serious weaknesses in data protection in mobile apps built by small vendors, as well as airlines, retail outlets, entertainment companies, insurance companies and financial institutions.

Mobile app security is often given a lower priority than rolling out features, because there has not been a major breach where valuable financial data has been stolen from a smartphone. However, the risk of such a breach will rise as the number of purchases made with a smartphone increases, along with the value of the data stored on the devices.

While security will slowdown the app development process, "it's extremely necessary," Hickson said.

Hickson's work follows on the heels of another incident in which hackers exploited a weakness in Snapchat's feature for finding friends by displaying the usernames of people whose phone numbers match those in other users' address books. Hackers used the vulnerability to steal the usernames and phone numbers of more than 4 million users.

Snapchat updated the app to let users opt out of having their phone numbers linked to their usernames. In addition, people are now required to verify their phone number before using the service called "Find Friends."

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)