A security researcher has shown that a new user-verification system introduced by Snapchat to prevent hackers from stealing phone numbers is easily defeated.
Snapchat is a mobile app that allows users to send and receive "self-destructing" photos and videos.
Earlier this month, hackers accessed a user database and uploaded usernames and phone numbers to the SnapchatDB.info, which was quickly taken down.
The user-verification system works by asking new users to identify images in which Snapchat's ghost logo appears from a selection of nine.
But security researcher Steve Hickson was able to defeat the system by using his knowledge of how computers recognise images.
"I spent around 30 minutes writing up some code" to perform an automated recognition task, he wrote in a blog post.
"With very little effort, my code was able to 'find the ghost' with 100% accuracy,” he wrote.
According to Hickson, this is “an incredibly bad way to verify someone is a person because it is such an easy problem for a computer to solve” and can be done in a variety of quick and effective ways.
“It's a numbers game with computers and Snapchat's verification system is losing,” he said.
Snapchat told Engadget that it is making "significant progress" in locking down its chat service and hinted that more security measures are on the way.
The user database compromise followed a warning by Australian firm Gibson Security that hackers could exploit vulnerabilities in the Snapchat app.
The hackers said they had exploited the security flaw highlighted by Gibson Security. "We used a modified version of gibsonsec's exploit/method," they were quoted as saying by Tech Crunch.
The hackers said their aim was to raise public awareness around the issue, and also put public pressure on Snapchat to get the exploit fixed.
More on mobile app security
- Securing mobile business apps
- Research reveals widespread mobile app hacking
- User-,app-centric security key in enterprise security architecture
- Where does security come into play with mobile app trends?
- Improving data and app security with SE Android
- Mitigate malicious apps with mobile device security training
- UK trust in mobile apps low, Isaca report reveals