Skip to main content

Snapchat to use "find the ghost" game to stem spam deluge

In the face of another security flaw, Snapchat has rolled out a verification screen for new users.

In order to confirm that these new users are not robots attempting to steal private data, the Snapchat app will now display nine colourful photos upon sign-up, and users will be required to select the photos that feature the Snapchat ghost icon before proceeding.

The move reportedly comes after Texas high school student Graham Smith notified Snapchat of "a flaw that left Find Friends vulnerable in spite of rate limiting and other quick-fixes they made."

Those quick fixes came after Gibson Security revealed several vulnerabilities within the Snapchat app late last year. One of those bugs could allow "someone to easily create a database of the usernames and phone numbers of users of the Snapchat application, in a small timeframe, using phone numbers automatically provided to the app." It wasn't long before someone - not Gibson - created such a database, posting the usernames and phone numbers for 4.6 million Snapchat users online.

Snapchat issued a fix earlier this month, but 16-year-old Smith found more bugs. And when Snapchat failed to respond, Smith took take matters into his own hands: He found Snapchat co-founder Bobby Murphy among the leaked data and texted him. Spooked, Murphy said he'd look into the issue.

Smith was still playing detective a week later when he found another hole: The Find Friends feature's phone number verification was only an in-app requirement; there were no server-side checks to ensure accounts had been validated, "meaning you can programmatically use Find Friends on a brand-new account, no phone number verification required," he explained in a blog post.

Smith again texted Murphy. By 17 January, Snapchat had started enforcing server-side phone number validation before letting accounts use the Find Friends service, Smith said.

A company spokeswoman confirmed the new verification screen to ITProPortal, but did not provide details about Smith's involvement.

Snapchat did, however, tell TechCrunch that "we appreciate the efforts of those who help identify vulnerabilities in our service and we continue to make significant progress in our efforts to secure Snapchat."

"After making various suggestions as to how Snapchat could fix their problems, Snapchat had decided (previously) to make various fixes that were either incomplete or didn't get the job done," Smith said.

It may not stump the young hacker, though. Via a series of tweets, Smith revealed his continued effort to beat Snapchat.

"Template matching FTW. Time to try it out against Snapchat," he wrote Tuesday, a reference to the title given to Snapchat's security update.