SnapChat hack a snap for Georgia Tech student

February 17, 2014

Faced with a decision between braving the below-freezing cold outside and breaking SnapChat's new security feature, Steven Hickson said it was a no-brainer.

The 23-year-old Georgia Tech doctoral student, who said he briefly worked for the National Security Agency in Maryland, cracked SnapChat's latest anti-hacker ploy within about a half hour.

SnapChat - a photo-sharing mobile app wildly popular with teens - added the new security layer last month after being forced to admit that white-hat hackers had breached its user database. That intrusion demonstrated that millions of usernames and phone numbers were vulnerable to criminals.

"It's a really big concern," Hickson said. (More on the original vulnerability later.) SnapChat's security update required the user to identify the company's ghost icon in a series of nine drawings - something only humans (not computers) supposedly could do. It was popularly dubbed "Snap-tcha," after the CAPTCHA, character-recognition feature widely used online.

Hickson's research involves using a Microsoft device called a Kinect, designed to respond to users' gestures and voices, to help computers recognize a range of real world objects (Think: A computer that can recognize a chair).

For him, it was no big stretch to get the program to locate the ghost images. The relative ease with which he did it speaks to the insecurity of the vast number of smartphone apps to which we entrust personal data.

SnapChat did not respond to requests for comment for this story, transmitted by email and social media.

With the SnapChat app, users transmit photos to other users' phones, which then vanish from both the company's servers and recipients' phones in just a matter of seconds. Kids love it, in part, because it leaves no evidence for the prying eyes of parents.

SnapChat is a venture capital darling. So far it's received more than $123 million in funding, according to CrunchBase, and its 23-year-old co-founder has turned down a $3 billion and $4 billion offers from Facebook and Google, respectively.

Now, for the original hack: In December, researchers at white-hat Gibson Security announced the vulnerability, which they said they had first pointed out to SnapChat developers in August. It exploited the service's Find Friends feature.

That feature allows SnapChat users to match phone numbers in their contact lists to phone numbers (and usernames) in its subscriber database.

SnapChat claimed that it had heeded Gibson Security's August warning by capping the number of phone numbers a user could enter into Find Friends over any one period. (Thieves want a big haul, not just a few records.) But experts soon demonstrated the futility of SnapChat's solution by programming computers to automatically open multiple user accounts.

The Snap-tcha ghost-image puzzle was supposed to fix that problem by preventing computers from establishing accounts. Within 24 hours, Hickson and others had bypassed the new safeguard.

The hack doesn't directly imperil users' financial information. Still, with a username and , criminals can often ensnare folks into downloading malware or visiting an infected website or filling out an online form that asks for their bank or credit card account information.

And Hickson wasn't alone in his exploit. Reportedly, a high school sophomore from Texas similarly upended the Snap-tcha - scary stuff, with or without a ghost icon.

Explore further: Snapchat rolls out update after breach, apologizes


Related Stories

Snapchat: Will make app more secure

January 3, 2014

(AP)—Snapchat says it plans to put out a more secure version of its application following a breach that allowed hackers to collect the usernames and phone numbers of some 4.6 million of its users.

Recommended for you

Forget oil, Russia goes crazy for cryptocurrency

August 16, 2017

Standing in a warehouse in a Moscow suburb, Dmitry Marinichev tries to speak over the deafening hum of hundreds of computers stacked on shelves hard at work mining for crypto money.

Researchers clarify mystery about proposed battery material

August 15, 2017

Battery researchers agree that one of the most promising possibilities for future battery technology is the lithium-air (or lithium-oxygen) battery, which could provide three times as much power for a given weight as today's ...

Signs of distracted driving—pounding heart, sweaty nose

August 15, 2017

Distracted driving—texting or absent-mindedness—claims thousands of lives a year. Researchers from the University of Houston and the Texas A&M Transportation Institute have produced an extensive dataset examining how ...


Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.