SnapChat hack a snap for Georgia Tech student

Faced with a decision between braving the below-freezing cold outside and breaking SnapChat’s new security feature, Steven Hickson said it was a no-brainer.

The 23-year-old Georgia Tech doctoral student, who said he briefly worked for the National Security Agency in Maryland, cracked SnapChat’s latest anti-hacker ploy within about a half hour.

SnapChat – a photo-sharing mobile app wildly popular with teens – added the new security layer last month after being forced to admit that white-hat hackers had breached its user database. That intrusion demonstrated that millions of usernames and phone numbers were vulnerable to criminals.

“It’s a really big concern,” Hickson said. (More on the original vulnerability later.)

SnapChat’s security update required the user to identify the company’s ghost icon in a series of nine drawings — something only humans (not computers) supposedly could do. It was popularly dubbed “Snap-tcha,” after the CAPTCHA, character-recognition feature widely used online.

Hickson’s research involves using a Microsoft device called a Kinect, designed to respond to users’ gestures and voices, to help computers recognize a range of real world objects (Think: A computer that can recognize a chair).

For him, it was no big stretch to get the program to locate the ghost images. The relative ease with which he did it speaks to the insecurity of the vast number of smartphone apps to which we entrust personal data.

SnapChat did not respond to requests for comment for this story, transmitted by email and social media.

With the SnapChat app, users transmit photos to other users’ phones, which then vanish from both the company’s servers and recipients’ phones in just a matter of seconds. Kids love it, in part, because it leaves no evidence for the prying eyes of parents.

SnapChat is a venture capital darling. So far it’s received more than $123 million in funding, according to CrunchBase, and its 23-year-old co-founder has turned down a $3 billion and $4 billion offers from Facebook and Google, respectively.

Now, for the original hack: In December, researchers at white-hat Gibson Security announced the vulnerability, which they said they had first pointed out to SnapChat developers in August. It exploited the service’s Find Friends feature.

That feature allows SnapChat users to match phone numbers in their contact lists to phone numbers (and usernames) in its subscriber database.

SnapChat claimed that it had heeded Gibson Security’s August warning by capping the number of phone numbers a user could enter into Find Friends over any one period. (Thieves want a big haul, not just a few records.) But experts soon demonstrated the futility of SnapChat’s solution by programming computers to automatically open multiple user accounts.

The Snap-tcha ghost-image puzzle was supposed to fix that problem by preventing computers from establishing accounts. Within 24 hours, Hickson and others had bypassed the new safeguard.

Oh, well.

The hack doesn’t directly imperil users’ financial information. Still, with a username and phone number, criminals can often ensnare folks into downloading malware or visiting an infected website or filling out an online form that asks for their bank or credit card account information.

And Hickson wasn’t alone in his exploit. Reportedly, a high school sophomore from Texas similarly upended the Snap-tcha – scary stuff, with or without a ghost icon.

Support real journalism. Support local journalism. Subscribe to The Atlanta Journal-Constitution today. See offers.

Your subscription to the Atlanta Journal-Constitution funds in-depth reporting and investigations that keep you informed. Thank you for supporting real journalism.