Snapchat's new image-based human verification system already defeated
The new anti-bot system can easily be bypassed using computer vision techniques, CAPTCHA experts say
IDG News Service - Snapchat added an image-based security challenge to its account registration process to verify that new accounts are created by humans, but the system can easily be defeated by computers, experts said.
The new feature, known as a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is part of a series of security-related changes made by the company this month following the disclosure of vulnerabilities that allowed attackers to match large sets of phone numbers to Snapchat accounts and to register new accounts in bulk. Hackers exploited the security holes to expose the user names and phone numbers of 4.6 million users of the popular mobile photo messaging service.
Since the beginning of the week, Snapchat presents users with a set of nine images when they attempt to register a new account and asks them to select only the images that contain a white ghost -- the same one used in the Snapchat logo. "Just making sure you're not a robot," the new Snapchat CAPTCHA screen says.
"The problem with this is that the Snapchat ghost is very particular," Steven Hickson, a research assistant at Georgia Institute of Technology said Wednesday in a blog post. "You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision."
Hickson said that it took him around 30 minutes to write some code that uses OpenCV -- the Open Source Computer Vision Library -- to solve one of Snapchat's CAPTCHA challenges reliably.
The code, which he published on Github, extracts the images from the CAPTCHA challenge and uses thresholding techniques to find objects in them that have the same color as the ghost template. It then extracts feature points and descriptors from those objects and compares them with similar data from the ghost template in order to find matches.
Hickson claims his code was able to find the ghost in one CAPTCHA challenge he tested with 100 percent accuracy. There are even better methods in computer vision that could be used to do the same thing, he said.
"I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong," Hickson said. "There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing."
David Lorenzi, a graduate research assistant at Rutgers Business School in Newark who researched attacks on image CAPTCHA systems in the past, agreed with Hickson's analysis.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users? All Social Media White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!