Hacking feat spots ghosts in Snapchat's new verification tool

Jan 23, 2014 by Nancy Owano weblog
Hacking feat spots ghosts in Snapchat’s new verification tool

(Phys.org) —Chat service company Snapchat this week announced it was further nailing down its security with a new identification verification system, beyond fancy font-annoying CAPTCHAS, that could seal the deal in telling humans apart from information harvesters and malicious bots. With the new tool, site visitors are shown nine picture tiles, some with Snapchat's ghost mascot and some without. Users need to differentiate among the pictures, to choose the ones showing the ghost, to prove the users are human. Interestingly, Lance Whitney of CNET, reporting the new tool, praised it as " a step in the right direction" but also asked, "But how long will it take an enterprising hacker to find a way past this latest security measure?"

The answer is not long. Steven Hickson, a graduate research assistant at Georgia Institute of Technology, with research interests that include and security, promptly put the strength of the tool to his test. He noted that "it is such an easy problem for a computer to solve."

Taking to his computer vision blog on Wednesday, he said, "The problem with this is that the Snapchat ghost is very particular. You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision."

He was able to defeat the system in less than an hour. He wrote up code such that a computer was able to circumvent the verification safeguard. Explaining the feat, Hickson said that "with very little effort" his code found the ghost. He found that troubling—that it required such little effort to do so.

"I'm not saying it is perfect, far from it. I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers."

Snapchat has taken security measures following the earlier data breach when account information was exposed. Snapchat said in early January that "We acknowledged in a blog post last Friday that it was possible for an attacker to use the functionality of Find Friends to upload a large number of random phone numbers and match them with Snapchat usernames. On New Years [sic] Eve, an attacker released a database of partially redacted phone numbers and usernames. No other information, including Snaps, was leaked or accessed in these attacks."Snapchat went on to say that "We will be releasing an updated version of the Snapchat application that will allow Snapchatters to opt out of appearing in Find Friends after they have verified their phone number. We're also improving rate limiting and other restrictions to address future attempts to abuse our service."

According to The Washington Post on Thursday, Mary Ritti, a company spokeswoman, said, "We continue to make significant progress in our efforts to secure Snapchat."

Explore further: Snapchat rolls out update after breach, apologizes

More information: stevenhickson.blogspot.com/201… le-verification.html

Related Stories

Snapchat: Will make app more secure

Jan 03, 2014

(AP)—Snapchat says it plans to put out a more secure version of its application following a breach that allowed hackers to collect the usernames and phone numbers of some 4.6 million of its users.

Recommended for you

Top South America hackers rattle Peru's Cabinet

3 hours ago

The Peruvian hackers have broken into military, police, and other sensitive government networks in Argentina, Colombia, Chile, Venezuela and Peru, defacing websites and extracting sensitive data to strut ...

PIN customers can avoid heat of thief's phone attachment

19 hours ago

Engineer Mark Rober has some words of advice in guarding the safety of your PIN. His advice comes in the form of a video where he demonstrates that a thief can steal a PIN by using a thermal imaging attachment ...

Protecting privacy also means preserving democracy

23 hours ago

What impact does the proliferation of new mobile technologies have? How does the sharing of personal data over the Internet threaten our society? Interview with Professor Jean-Pierre Hubaux, a specialist ...

User comments : 2

Adjust slider to filter visible comments by rank

Display comments: newest first

antialias_physorg
5 / 5 (1) Jan 23, 2014
Oh boy...whoever thought that that would actually be a safe way to tell bots from humans obviously had no clue about image segmentation/registration algorithms.
Yes, I can believe that there was little effort involved in cracking this (as the algorithms I'd use to crack this are fereely available in the VTK/ITK toolkits and rather easy to use).

There is probably no 'training' involved here (no genetic algorithms or neural network learning tools - although these would likely work, too. but that would be overkill when much simpler algorithms can do the trick).
axemaster
not rated yet Jan 23, 2014
Yeah I have to agree with AA, while I've never worked with image recognition, even I can tell that this would be easy to hack through.