Snapchat’s New CAPTCHA Hacked in 30 Minutes, 100 Lines of Code

Just one day after the photo sharing application announced its latest security measure, a researcher claimed he was able to hack it with as little as 100 lines of C++ code.

It was only going to be a matter of time before someone figured out a way past Snapchat’s new CAPTCHA verification method. Just one day after the photo sharing application announced its latest security measure, one researcher claimed Wednesday that he was able to hack it with as few as 100 lines of C++ code.

Steven Hickson, a computer engineering grad from Clemson University wrote on his personal blog this week that it only took him about 30 minutes to come up with a way around the company’s new people verification system and that it works “with 100 percent accuracy.”

snapchat-captchaThe system is based on identifying a series of nine illustrations, right – some have a white ghost, the app’s mascots, some don’t. To make sure a new user is human, Snapchat has the user click on however many of the boxes contain a ghost.

“This is an incredibly bad way to verify someone is a person because it is such an easy problem for a computer to solve,” Hickson wrote on his Computer Vision Blog Wednesday.

Hickson used open source code initially developed by Intel, OpenCV (Open Source Computer Vision Library) and a segmentation method known as simple thresholding to get his computer on the right track. OpenCV assists in “real-time computer vision” and thresholding helps the computer differentiate whichever pixels you’re interested in from the rest of them.

Hickson also used algorithms like SURF, an interest point detector and descriptor, and FLANN, a library for performing fast approximate nearest neighbor searches to perform a “uniqueness test to determine that multiple keypoints in the training image weren’t being singularly matched in the testing image.”

Basically Hickson gave his computer an idea of what the Snapchat ghost looks like and it went to work, searching for corresponding points in Snapchat’s puzzle and matching ghosts to ghosts.

“With very little effort, my code was able to ‘find the ghost’ in the above example with 100% accuracy,” Hickson said, calling what he did “one of the easier tasks in computer vision.

Hickson, who posted the code he used on Github, mentions there are several different ways he could have gone about his experiment. Histogram of Oriented Gradients, or HOG, is another form of code used for object detection that lets computers see the world, so to speak.

It’s another security misstep by the much-buzzed about Snapchat.

Late last year researchers divulged the details regarding two privacy bugs in the application’s ‘Find Friends’ functionality that hackers quickly used to leak 4.6 million of the service’s usernames and partial phone numbers. The hackers started a site, SnapchatDB.info, to host the information but that site has since been taken down.

The new verification system was the latest move by the company to shore up the app’s security.

Just a few weeks ago the company apologized for their error and pushed out a new update of the app that requires users to verify their phone number before using the ‘Find Friends’ feature and gave users the ability to opt-out from linking their phone numbers with their usernames.

Suggested articles

alien cerberus banking malware

Alien Android Banking Trojan Sidesteps 2FA

A new ‘fork’ of the Cerberus banking trojan, called Alien, targets victims’ credentials from more than 200 mobile apps, including Bank of America and Microsoft Outlook.