Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snapchat Account Registration CAPTCHA Defeated

Posted by timothy on from the take-a-picture-it'll-last-longer dept.

hypnosec writes "Snapchat's security troubles continue as a security researcher has managed to hack its account registration CAPTCHA system with a program of less than 100 lines that took 30 minutes to develop. Steve Hickson, a computer engineer by education, wrote a small computer program with very little effort that identifies Snapchat's ghost from the given set of images. Hickson equates Snapchat's ghost very particular and calls it a template that can be matched easily using a computer program. Hickson used a combination of Open Source Computer Vision Library (OpenCV), SURF points and FLANN matching "with a uniqueness test to determine that multiple keypoints in the training image weren't being singularly matched in the testing image.""

16 of 52 comments (clear)

  1. Need by Anonymous Coward · · Score: 5, Insightful

    I need this code because half the time I can't figure out what the capture characters are myself.

    1. Re:Need by bobjr94 · · Score: 2

      I would like a firefox captcha reading plugin

    2. Re:Need by Sockatume · · Score: 2

      If you click through, it's not a conventional Captcha; it's the company's logo inserted into some cartoon images. The point of the article is that it's a trivial computer vision problem.

      --
      No kidding!!! What do you say at this point?
  2. CAPTCHAS by LoRdTAW · · Score: 3, Insightful

    So is there a way you could randomly seed an algorithm to generate a ghost with some noise in its drawing to throw off the vision processing? I realize the ghost is their logo but distorting it randomly could help thwart such an attack. Or am I missing something?

  3. Re:3 Billion by game+kid · · Score: 3, Funny

    A site with barely-broadcastable body pictures that end up disappearing from it and yet still end up preserved on other parts of the web?

    I say it's already like MySpace.

    --
    You can hold down the "B" button for continuous firing.
  4. AmIHotOrNot by MillionthMonkey · · Score: 2

    One would think they would use an "AmIHotOrNot"-style CAPTCHA- show some snapped images, and ask "who would you most like to have sex with?"

    1. Re:AmIHotOrNot by MillionthMonkey · · Score: 2

      Actually, if you do a google image search and actually look at SnapChat's "CAPTCHA", it's unbelievable, like a piece of work from the nineties.

      It shows you nine images and asks you to select the ones where the ghost appears. (Random selections net 1 success in 512 right there, and they probably won't show you zero, one, eight, or nine ghosts, increasing success rates to 492 to 1.)

      Notice that a ghost or its impostor is always the only white shape in the image. (Sometimes there are also a few white stars, moons, etc.) To improve from random guessing, isolate the white blob, select its center of mass, transform the outline into polar coordinates, perform a Fourier transform, prepare a vector from the Fourier coefficients, and all the ghosts will cluster together in that vector space. (There will also be a star cluster, an apple cluster, a tree trunk cluster, a top hat cluster, a full moon cluster, etc.)

  5. Not a few lines of code - by Anonymous Coward · · Score: 4, Insightful

    uses 3 well developed source libraries

    1. Re:Not a few lines of code - by Anonymous Coward · · Score: 2, Insightful

      If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

  6. Re:"Hickson equates Snapchat's ghost very particul by MillionthMonkey · · Score: 2

    EMFDYSI?

    Fix his sentence by swapping two verbs and add a preposition:

    "Hickson calls Snapchat's ghost very particular and equates it to a template that can be matched easily using a computer program."

    See? I'm a human, man.

    As for "EMDYSI?", I thought that was a CAPTCHA for a second and was about to prove my humanity with an eight-character response.

  7. after the hack, something odd happened... by Connie_Lingus · · Score: 4, Funny

    ...Mr. Hickson disappeared after 10 seconds.

    --
    never bring a twinkie to a food fight.
  8. Re:Captchas are dead, dead, dead by TrollstonButterbeans · · Score: 2

    The actual stupidity isn't CAPTCHAs. It is the use of a single method with very slight deviation.

    "Here is our ONE single WAY we have thought of to secure this!" --- this is the fail.

    --
    Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
  9. Small problem set by MillionthMonkey · · Score: 3, Interesting

    There are two problems with higher-order processing CAPTCHAs like that. One is the small problem set. A human at the website has to actually think of those connections between plugs and sockets, or umbrellas and rainstorms, or pizza and ovens, or hair and shampoo, etc. So the problem space is small. Then, blindly guessing answers still yields a decent success rate. Your particular example can be guessed with a success rate of 1 in 256.

    Blurring a pair of words from a dictionary onto each other automatically generates millions of possible challenges, and random guessing won't work as well- at least some image analysis is needed.

    My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

  10. I make captchas. 1/256 random is a good captcha by raymorris · · Score: 3, Insightful

    If the captcha is easy enough for humans, 1 in 256 random chance is fine for many applications. I've designed several very successful captcha systems used on thousands of sites. There are two reasons I say 1 / 256 is often fine.

    First, let's consider one typical use case - blog spam. The spammer has a choice. He can spend this evening posting to 1,000 blogs with captchas, or the same amount of time post to 256,000 blogs without captchas. Which would you choose if you were a spammer? You choose the unprotected sites, of course. Sites without captchas get hundreds of times as much spam. Bad guys are by definition lazy, so they go after the low hanging fruit. Don't be low hanging fruit.

    In other use cases, there may not be direct competition. Still, there's a cost / benefit analysis. Let's say it costs 1 penny of resources to register and use a snapchat account in a way the generates 12 cents in revenue. Multiply the cost by 256 and it's no longer profitable to abuse the service.

    For most of our customers, the captcha is one part of a defense against brute force on the login screen. Assume that due to the other components of the system, you need 10,000 proxies to successfully brute force the login, because IPs banned after a dozen failed attempts. The captcha multiplies that by 256, so you now need over 2.5 MILLION proxies. I suspect that nobody has 2.5 million proxies to use. We have one of the largest lists of open proxies in the world, and even we don't have quite that many.

  11. Less than a 100 lines??? by LordWabbit2 · · Score: 2

    Less than a 100 lines???
    How many lines of code are in OpenCV?

    --
    There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    1. Re:Less than a 100 lines??? by michelcolman · · Score: 2

      Just one (if you remove the line feeds)