Snapchat's new image-based human verification system already defeated
The new anti-bot system can easily be bypassed using computer vision techniques, CAPTCHA experts say
IDG News Service - Snapchat added an image-based security challenge to its account registration process to verify that new accounts are created by humans, but the system can easily be defeated by computers, experts said.
The new feature, known as a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is part of a series of security-related changes made by the company this month following the disclosure of vulnerabilities that allowed attackers to match large sets of phone numbers to Snapchat accounts and to register new accounts in bulk. Hackers exploited the security holes to expose the user names and phone numbers of 4.6 million users of the popular mobile photo messaging service.
Since the beginning of the week, Snapchat presents users with a set of nine images when they attempt to register a new account and asks them to select only the images that contain a white ghost -- the same one used in the Snapchat logo. "Just making sure you're not a robot," the new Snapchat CAPTCHA screen says.
"The problem with this is that the Snapchat ghost is very particular," Steven Hickson, a research assistant at Georgia Institute of Technology said Wednesday in a blog post. "You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision."
Hickson said that it took him around 30 minutes to write some code that uses OpenCV -- the Open Source Computer Vision Library -- to solve one of Snapchat's CAPTCHA challenges reliably.
The code, which he published on Github, extracts the images from the CAPTCHA challenge and uses thresholding techniques to find objects in them that have the same color as the ghost template. It then extracts feature points and descriptors from those objects and compares them with similar data from the ghost template in order to find matches.
Hickson claims his code was able to find the ghost in one CAPTCHA challenge he tested with 100 percent accuracy. There are even better methods in computer vision that could be used to do the same thing, he said.
"I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong," Hickson said. "There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing."
David Lorenzi, a graduate research assistant at Rutgers Business School in Newark who researched attacks on image CAPTCHA systems in the past, agreed with Hickson's analysis.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Business of Social Business Social business represents a significant transformational opportunity for organizations. Read this whitepaper to learn more.
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Social Media White Papers | Webcasts