Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snapchat Account Registration CAPTCHA Defeated

Posted by timothy on from the take-a-picture-it'll-last-longer dept.

hypnosec writes "Snapchat's security troubles continue as a security researcher has managed to hack its account registration CAPTCHA system with a program of less than 100 lines that took 30 minutes to develop. Steve Hickson, a computer engineer by education, wrote a small computer program with very little effort that identifies Snapchat's ghost from the given set of images. Hickson equates Snapchat's ghost very particular and calls it a template that can be matched easily using a computer program. Hickson used a combination of Open Source Computer Vision Library (OpenCV), SURF points and FLANN matching "with a uniqueness test to determine that multiple keypoints in the training image weren't being singularly matched in the testing image.""

34 of 52 comments (clear)

  1. Need by Anonymous Coward · · Score: 5, Insightful

    I need this code because half the time I can't figure out what the capture characters are myself.

    1. Re:Need by bobjr94 · · Score: 2

      I would like a firefox captcha reading plugin

    2. Re:Need by Sockatume · · Score: 2

      If you click through, it's not a conventional Captcha; it's the company's logo inserted into some cartoon images. The point of the article is that it's a trivial computer vision problem.

      --
      No kidding!!! What do you say at this point?
  2. So What? by Anonymous Coward · · Score: 1

    So, what does this mean?

    Disappearing spam?
    A flood of dick picks?
    Nothing at all?

  3. "Hickson equates Snapchat's ghost very particular" by Anonymous Coward · · Score: 1

    EMFDYSI?

  4. CAPTCHAS by LoRdTAW · · Score: 3, Insightful

    So is there a way you could randomly seed an algorithm to generate a ghost with some noise in its drawing to throw off the vision processing? I realize the ghost is their logo but distorting it randomly could help thwart such an attack. Or am I missing something?

    1. Re:CAPTCHAS by Desler · · Score: 1

      Sure that would likely thwart it. The point is that it's currently crappily implemented.

    2. Re:CAPTCHAS by ackthpt · · Score: 1

      Sure that would likely thwart it. The point is that it's currently crappily implemented.

      Subject to change without notice .. after all, why do they need to tell anyone they are changing how anything works?

      --

      A feeling of having made the same mistake before: Deja Foobar
  5. Re:3 Billion by game+kid · · Score: 3, Funny

    A site with barely-broadcastable body pictures that end up disappearing from it and yet still end up preserved on other parts of the web?

    I say it's already like MySpace.

    --
    You can hold down the "B" button for continuous firing.
  6. AmIHotOrNot by MillionthMonkey · · Score: 2

    One would think they would use an "AmIHotOrNot"-style CAPTCHA- show some snapped images, and ask "who would you most like to have sex with?"

    1. Re:AmIHotOrNot by MillionthMonkey · · Score: 2

      Actually, if you do a google image search and actually look at SnapChat's "CAPTCHA", it's unbelievable, like a piece of work from the nineties.

      It shows you nine images and asks you to select the ones where the ghost appears. (Random selections net 1 success in 512 right there, and they probably won't show you zero, one, eight, or nine ghosts, increasing success rates to 492 to 1.)

      Notice that a ghost or its impostor is always the only white shape in the image. (Sometimes there are also a few white stars, moons, etc.) To improve from random guessing, isolate the white blob, select its center of mass, transform the outline into polar coordinates, perform a Fourier transform, prepare a vector from the Fourier coefficients, and all the ghosts will cluster together in that vector space. (There will also be a star cluster, an apple cluster, a tree trunk cluster, a top hat cluster, a full moon cluster, etc.)

    2. Re:AmIHotOrNot by michelcolman · · Score: 1

      And then if it clicks on a computer in the background of one of the pictures, you know it's a bot.

  7. Not a few lines of code - by Anonymous Coward · · Score: 4, Insightful

    uses 3 well developed source libraries

    1. Re:Not a few lines of code - by Anonymous Coward · · Score: 2, Insightful

      If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

    2. Re:Not a few lines of code - by sexconker · · Score: 1

      If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

      And if you wish to be a "security researcher" you must never do any useful research, programming, or learning.

  8. Re:"Hickson equates Snapchat's ghost very particul by MillionthMonkey · · Score: 2

    EMFDYSI?

    Fix his sentence by swapping two verbs and add a preposition:

    "Hickson calls Snapchat's ghost very particular and equates it to a template that can be matched easily using a computer program."

    See? I'm a human, man.

    As for "EMDYSI?", I thought that was a CAPTCHA for a second and was about to prove my humanity with an eight-character response.

  9. Captchas are dead, dead, dead by Arrogant-Bastard · · Score: 1

    I've been saying this for years -- here and elsewhere. Yet their foolish supporters continue to insist on using them, despite the steady parade of demonstration proofs showing that they're easily defeated. (I'm not going to bother with the catalog of links this time. Use a search engine. Read the items that show up on the first two pages of results -- that should be enough.)

    Either you're defending an important resource or you're not. If you're not, then you don't need captchas and shouldn't use them. If you are, then the first person who decides that your resource is worth the trouble will break your captchas, either by code, by brute force, by co-opted masses or by some combination of those. You have no shot. NONE. If you think so, then you didn't perform the exercise I suggest in the last paragraph.)

    A defense that is known-broken is not a defense at all.

    1. Re:Captchas are dead, dead, dead by TrollstonButterbeans · · Score: 2

      The actual stupidity isn't CAPTCHAs. It is the use of a single method with very slight deviation.

      "Here is our ONE single WAY we have thought of to secure this!" --- this is the fail.

      --
      Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    2. Re:Captchas are dead, dead, dead by jonwil · · Score: 1

      The best CAPTCHA type thing I have seen is one that displays one larger image and 4 smaller images and asks you to match the content of one of the smaller images to the larger image (e.g. "drag the plug to the socket").

  10. after the hack, something odd happened... by Connie_Lingus · · Score: 4, Funny

    ...Mr. Hickson disappeared after 10 seconds.

    --
    never bring a twinkie to a food fight.
    1. Re:after the hack, something odd happened... by ackthpt · · Score: 1

      Nah. They'll buy him out.

      "OK, buy him out boys." CRUNCH CRACK SHATTER BREAK

      "I didnt become this rich by writing checks"

      --

      A feeling of having made the same mistake before: Deja Foobar
  11. Re:3 Billion by ackthpt · · Score: 1

    Jane, how do I share this thing?!? Jaaaannne!

    Is the future here yet? I feel like having toast.

    --

    A feeling of having made the same mistake before: Deja Foobar
  12. The mangled version is in the original by Vainglorious+Coward · · Score: 1

    Note also that the hypnosec didn't "write" this submission - like the vast majority of submitters s/he simply copy& pasted the first two paragraphs from the fine article. In other words, both submitter and slashdot admin either didn't read it, or have terrible reading comprehension skills. Probably both.

    --
    My next sig will be ready soon, but subscribers can beat the rush
  13. Why is the summary written in Chinglish? by wonkey_monkey · · Score: 1

    Hickson equates Snapchat's ghost very particular and calls it a template

    Why is the summary written in Chinglish?

    Oh wait, I know. It's because the submitter blindly copy-pasted it from the article and the editors don't give two shits about looking lazy and incompetent.

    hypnosec writes

    Can we please stop displaying this lie on practically every story? hynosec didn't write anything.

    --
    systemd is Roko's Basilisk.
  14. The 2 best ways to crack any Captchca... by Anonymous Coward · · Score: 1

    1. Harness the power of horny teenagers by creating a free porn website that requires registration requiring a captcha, which is actually the redirected captcha of your target website.
    2. Pay a room full of Indians to enter captchas all day.
    You're welcome.

    1. Re:The 2 best ways to crack any Captchca... by foobar+bazbot · · Score: 1

      Actually, snapchat's captcha is so incredibly computer-friendly that writing a program to break it is probably the cheapest/easiest way for once. Seriously, it's like some sort of homework assignment from a computer vision class.

  15. Power of jailbait. by meaty · · Score: 1

    The desire to get access to jailbait will overcome all obstacles.

  16. Small problem set by MillionthMonkey · · Score: 3, Interesting

    There are two problems with higher-order processing CAPTCHAs like that. One is the small problem set. A human at the website has to actually think of those connections between plugs and sockets, or umbrellas and rainstorms, or pizza and ovens, or hair and shampoo, etc. So the problem space is small. Then, blindly guessing answers still yields a decent success rate. Your particular example can be guessed with a success rate of 1 in 256.

    Blurring a pair of words from a dictionary onto each other automatically generates millions of possible challenges, and random guessing won't work as well- at least some image analysis is needed.

    My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

    1. Re:Small problem set by Anonymous Coward · · Score: 1

      My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

      That's exactly what reCAPTCHA (which was acquired by Google) does. For example: screenshot of reCAPTCHA.

    2. Re:Small problem set by MillionthMonkey · · Score: 1

      That's exactly what reCAPTCHA (which was acquired by Google) does. For example: screenshot of reCAPTCHA [wikimedia.org].

      Sigh... I need a better job...

  17. I make captchas. 1/256 random is a good captcha by raymorris · · Score: 3, Insightful

    If the captcha is easy enough for humans, 1 in 256 random chance is fine for many applications. I've designed several very successful captcha systems used on thousands of sites. There are two reasons I say 1 / 256 is often fine.

    First, let's consider one typical use case - blog spam. The spammer has a choice. He can spend this evening posting to 1,000 blogs with captchas, or the same amount of time post to 256,000 blogs without captchas. Which would you choose if you were a spammer? You choose the unprotected sites, of course. Sites without captchas get hundreds of times as much spam. Bad guys are by definition lazy, so they go after the low hanging fruit. Don't be low hanging fruit.

    In other use cases, there may not be direct competition. Still, there's a cost / benefit analysis. Let's say it costs 1 penny of resources to register and use a snapchat account in a way the generates 12 cents in revenue. Multiply the cost by 256 and it's no longer profitable to abuse the service.

    For most of our customers, the captcha is one part of a defense against brute force on the login screen. Assume that due to the other components of the system, you need 10,000 proxies to successfully brute force the login, because IPs banned after a dozen failed attempts. The captcha multiplies that by 256, so you now need over 2.5 MILLION proxies. I suspect that nobody has 2.5 million proxies to use. We have one of the largest lists of open proxies in the world, and even we don't have quite that many.

  18. Less than a 100 lines??? by LordWabbit2 · · Score: 2

    Less than a 100 lines???
    How many lines of code are in OpenCV?

    --
    There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    1. Re:Less than a 100 lines??? by michelcolman · · Score: 2

      Just one (if you remove the line feeds)

    2. Re:Less than a 100 lines??? by LordWabbit2 · · Score: 1

      Wrong, I think you will find that most compilers will balk at any single line of code longer than 65 536 characters.
      I doubt OpenCV is that short.
      Also you forgot about the carriage returns. (Me being pedantic)
      But if we had to extend your reasoning to everything and ignore line limits then we could say that all the software in the world is a single line of code and we pay programmers too much for one line of code.

      I worked at a company that measured work progress by lines of code (LOC) stupid bloody idea that only a non programmer could come up with.
      I have never come across more long ass winded code in my entire life.
      Some calculation which could be done one one line took seven (or more)
      Instead of refactoring common code into a function it was copy / pasted everywhere to bulk up LOC!
      Suffice to say small changes to the common code was fraught with errors as one set of code was updated and a missed in a couple other places while digging through millions of lines of verbose code
      Whoever came up with the idea of LOC as a measurement should be buried under the lines of redundant code it produced.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.