Forgot your password?
typodupeerror
Encryption Security Social Networks

Snapchat Account Registration CAPTCHA Defeated 52

Posted by timothy
from the take-a-picture-it'll-last-longer dept.
hypnosec writes "Snapchat's security troubles continue as a security researcher has managed to hack its account registration CAPTCHA system with a program of less than 100 lines that took 30 minutes to develop. Steve Hickson, a computer engineer by education, wrote a small computer program with very little effort that identifies Snapchat's ghost from the given set of images. Hickson equates Snapchat's ghost very particular and calls it a template that can be matched easily using a computer program. Hickson used a combination of Open Source Computer Vision Library (OpenCV), SURF points and FLANN matching "with a uniqueness test to determine that multiple keypoints in the training image weren't being singularly matched in the testing image.""
This discussion has been archived. No new comments can be posted.

Snapchat Account Registration CAPTCHA Defeated

Comments Filter:
  • Need (Score:5, Insightful)

    by Anonymous Coward on Thursday January 23, 2014 @05:03PM (#46050285)

    I need this code because half the time I can't figure out what the capture characters are myself.

  • CAPTCHAS (Score:4, Insightful)

    by LoRdTAW (99712) on Thursday January 23, 2014 @05:08PM (#46050351)

    So is there a way you could randomly seed an algorithm to generate a ghost with some noise in its drawing to throw off the vision processing? I realize the ghost is their logo but distorting it randomly could help thwart such an attack. Or am I missing something?

  • by Anonymous Coward on Thursday January 23, 2014 @05:26PM (#46050607)

    uses 3 well developed source libraries

  • by Anonymous Coward on Thursday January 23, 2014 @06:46PM (#46051463)

    If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

  • by raymorris (2726007) on Thursday January 23, 2014 @11:04PM (#46053259)

    If the captcha is easy enough for humans, 1 in 256 random chance is fine for many applications. I've designed several very successful captcha systems used on thousands of sites. There are two reasons I say 1 / 256 is often fine.

    First, let's consider one typical use case - blog spam. The spammer has a choice. He can spend this evening posting to 1,000 blogs with captchas, or the same amount of time post to 256,000 blogs without captchas. Which would you choose if you were a spammer? You choose the unprotected sites, of course. Sites without captchas get hundreds of times as much spam. Bad guys are by definition lazy, so they go after the low hanging fruit. Don't be low hanging fruit.

    In other use cases, there may not be direct competition. Still, there's a cost / benefit analysis. Let's say it costs 1 penny of resources to register and use a snapchat account in a way the generates 12 cents in revenue. Multiply the cost by 256 and it's no longer profitable to abuse the service.

    For most of our customers, the captcha is one part of a defense against brute force on the login screen. Assume that due to the other components of the system, you need 10,000 proxies to successfully brute force the login, because IPs banned after a dozen failed attempts. The captcha multiplies that by 256, so you now need over 2.5 MILLION proxies. I suspect that nobody has 2.5 million proxies to use. We have one of the largest lists of open proxies in the world, and even we don't have quite that many.

Imitation is the sincerest form of plagarism.

Working...