Snapchat is considered by many security experts a case study on how a lack of security by design could hit a large community of users impacting their privacy, a few weeks ago Starbucks app exposed users’ data of millions customers to risk of theft.
Recently I’ve written a blog post on a couple of serious vulnerabilities in the photo messaging application Snapchat, the flaws were discovered by Gibson Security that revealed that using a couple of exploits known by the name The ‘Find Friends’ exploit and the ‘Bulk Registration’ Exploit it is possible to access to data belonging millions of users.
Unfortunately Snapchat has ignored the alerts provided by Gibson Security and a few weeks ago, it was published a website called SnapchatDB.info that reported personal data of 4.6 million Snapchat accounts including usernames and phone numbers.
“The stored data were available for download, the privacy of millions users of the application was violated.” I reported in my previous post.
At this point the situation became serious, and the company is due to run for cover, early 2014 Snapchat released an update to both iOS and Android apps, the intent was to add a new security feature to prevent the abuse of new user creation to recruit it as spambot.
During sign-in process Snapchat displays nine pictures and requests new user to select images containing a “ghost”.
“The problem with this is that the Snapchat ghost is very particular. You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision.”“First, I extract the different images from the slide above, then I threshold them and the ghost template to find objects that are that color. Next, I extract feature points and descriptors from the test image and the template using SURF and match them using FLANN. I only use the “best” matches using a distance metric and then check all the matches for uniqueness to verify one feature in the template isn’t matching most of the test features. If the uniqueness is high enough and enough features are found, we call it a ghost.” he wrote in a blog post.
“There is a ton of ways to do this using computer vision, all of them quick and effective. It’s a numbers game with computers and Snapchat’s verification system is losing.“
(Security Affairs – SnapChat, hacking)