Snapchat's new image-based human verification system already defeated

The new anti-bot system can easily be bypassed using computer vision techniques, CAPTCHA experts say

Snapchat's CAPTCHA can be defeated using computer vision techniques

Snapchat's CAPTCHA can be defeated using computer vision techniques

Snapchat added an image-based security challenge to its account registration process to verify that new accounts are created by humans, but the system can easily be defeated by computers, experts said.

The new feature, known as a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is part of a series of security-related changes made by the company this month following the disclosure of vulnerabilities that allowed attackers to match large sets of phone numbers to Snapchat accounts and to register new accounts in bulk. Hackers exploited the security holes to expose the user names and phone numbers of 4.6 million users of the popular mobile photo messaging service.

Since the beginning of the week, Snapchat presents users with a set of nine images when they attempt to register a new account and asks them to select only the images that contain a white ghost -- the same one used in the Snapchat logo. "Just making sure you're not a robot," the new Snapchat CAPTCHA screen says.

"The problem with this is that the Snapchat ghost is very particular," Steven Hickson, a research assistant at Georgia Institute of Technology said Wednesday in a blog post. "You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision."

Hickson said that it took him around 30 minutes to write some code that uses OpenCV -- the Open Source Computer Vision Library -- to solve one of Snapchat's CAPTCHA challenges reliably.

The code, which he published on Github, extracts the images from the CAPTCHA challenge and uses thresholding techniques to find objects in them that have the same color as the ghost template. It then extracts feature points and descriptors from those objects and compares them with similar data from the ghost template in order to find matches.

Hickson claims his code was able to find the ghost in one CAPTCHA challenge he tested with 100 percent accuracy. There are even better methods in computer vision that could be used to do the same thing, he said.

"I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong," Hickson said. "There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing."

David Lorenzi, a graduate research assistant at Rutgers Business School in Newark who researched attacks on image CAPTCHA systems in the past, agreed with Hickson's analysis.

"The key takeaway is that the [Snapchat] CAPTCHA simply has too low of a variation in its challenges -- images featuring a ghost -- to provide effective security," Lorenzi said Thursday via email. "I suspect Snapchat used a template based image generator in the creation of these picture challenges as it would provide an effective and efficient means to easily generate a large number of 'unique challenges' in an attempt to prevent an attacker from launching a database attack against it. Sadly, this also means that the images generated in this fashion are weak against the method Steve [Hickson] is using."

Lorenzi hopes this case will inspire other developers to be more concerned about their CAPTCHA implementations so they can make online services safer for everyone.

Traditional text-based CAPTCHAs have a high level of variation and are even a bit hard for people to solve and that's because computers can read text very well using OCR (optical character recognition), Hickson said Thursday via email. "These days, we can do most template matching almost as well."

Snapchat should either use a well known and tested text-based CAPTCHA implementation like reCAPTCHA or should design their challenges to have a very complex answer, Hickson said. The idea is to have a question that has a large variety of possible answers and only a correct one, but Snapchat's CAPTCHA challenge is effectively nine yes-or-no questions.

Unfortunately text-based CAPTCHAs are not very user friendly on touch-enabled devices, which is probably why Snapchat chose an implementation that involves images selection.

However, Lorenzi pointed out that researchers have already designed secure touch-friendly CAPTCHAs. "My suggestion to Snapchat, if they are truly concerned with user security, is that they should scrap their current system and implement a system similar to the one suggested in this paper," he said.

Snapchat did not immediately respond to a request for comment.

Join the CSO newsletter!

Error: Please check your email address.

Tags SnapChatonline safetyantispamsecurityAccess control and authentication

More about Georgia Institute of TechnologyTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place