Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Security Social Networks

Snapchat Account Registration CAPTCHA Defeated 52

hypnosec writes "Snapchat's security troubles continue as a security researcher has managed to hack its account registration CAPTCHA system with a program of less than 100 lines that took 30 minutes to develop. Steve Hickson, a computer engineer by education, wrote a small computer program with very little effort that identifies Snapchat's ghost from the given set of images. Hickson equates Snapchat's ghost very particular and calls it a template that can be matched easily using a computer program. Hickson used a combination of Open Source Computer Vision Library (OpenCV), SURF points and FLANN matching "with a uniqueness test to determine that multiple keypoints in the training image weren't being singularly matched in the testing image.""
This discussion has been archived. No new comments can be posted.

Snapchat Account Registration CAPTCHA Defeated

Comments Filter:
  • Need (Score:5, Insightful)

    by Anonymous Coward on Thursday January 23, 2014 @04:03PM (#46050285)

    I need this code because half the time I can't figure out what the capture characters are myself.

    • I would like a firefox captcha reading plugin
    • If you click through, it's not a conventional Captcha; it's the company's logo inserted into some cartoon images. The point of the article is that it's a trivial computer vision problem.

  • by Anonymous Coward

    So, what does this mean?

    Disappearing spam?
    A flood of dick picks?
    Nothing at all?

  • EMFDYSI?

    • EMFDYSI?

      Fix his sentence by swapping two verbs and add a preposition:

      "Hickson calls Snapchat's ghost very particular and equates it to a template that can be matched easily using a computer program."

      See? I'm a human, man.

      As for "EMDYSI?", I thought that was a CAPTCHA for a second and was about to prove my humanity with an eight-character response.

      • Note also that the hypnosec didn't "write" this submission - like the vast majority of submitters s/he simply copy& pasted the first two paragraphs from the fine article. In other words, both submitter and slashdot admin either didn't read it, or have terrible reading comprehension skills. Probably both.
  • CAPTCHAS (Score:4, Insightful)

    by LoRdTAW ( 99712 ) on Thursday January 23, 2014 @04:08PM (#46050351)

    So is there a way you could randomly seed an algorithm to generate a ghost with some noise in its drawing to throw off the vision processing? I realize the ghost is their logo but distorting it randomly could help thwart such an attack. Or am I missing something?

    • by Desler ( 1608317 )

      Sure that would likely thwart it. The point is that it's currently crappily implemented.

      • by ackthpt ( 218170 )

        Sure that would likely thwart it. The point is that it's currently crappily implemented.

        Subject to change without notice .. after all, why do they need to tell anyone they are changing how anything works?

  • by MillionthMonkey ( 240664 ) on Thursday January 23, 2014 @04:19PM (#46050495)
    One would think they would use an "AmIHotOrNot"-style CAPTCHA- show some snapped images, and ask "who would you most like to have sex with?"
    • And then if it clicks on a computer in the background of one of the pictures, you know it's a bot.

  • by Anonymous Coward on Thursday January 23, 2014 @04:26PM (#46050607)

    uses 3 well developed source libraries

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

      • If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

        And if you wish to be a "security researcher" you must never do any useful research, programming, or learning.

  • I've been saying this for years -- here and elsewhere. Yet their foolish supporters continue to insist on using them, despite the steady parade of demonstration proofs showing that they're easily defeated. (I'm not going to bother with the catalog of links this time. Use a search engine. Read the items that show up on the first two pages of results -- that should be enough.)

    Either you're defending an important resource or you're not. If you're not, then you don't need captchas and shouldn't use the
    • The actual stupidity isn't CAPTCHAs. It is the use of a single method with very slight deviation.

      "Here is our ONE single WAY we have thought of to secure this!" --- this is the fail.
    • by jonwil ( 467024 )

      The best CAPTCHA type thing I have seen is one that displays one larger image and 4 smaller images and asks you to match the content of one of the smaller images to the larger image (e.g. "drag the plug to the socket").

      • Small problem set (Score:4, Interesting)

        by MillionthMonkey ( 240664 ) on Thursday January 23, 2014 @07:12PM (#46052245)

        There are two problems with higher-order processing CAPTCHAs like that. One is the small problem set. A human at the website has to actually think of those connections between plugs and sockets, or umbrellas and rainstorms, or pizza and ovens, or hair and shampoo, etc. So the problem space is small. Then, blindly guessing answers still yields a decent success rate. Your particular example can be guessed with a success rate of 1 in 256.

        Blurring a pair of words from a dictionary onto each other automatically generates millions of possible challenges, and random guessing won't work as well- at least some image analysis is needed.

        My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

        • by Anonymous Coward

          My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

          That's exactly what reCAPTCHA (which was acquired by Google) does. For example: screenshot of reCAPTCHA [wikimedia.org].

          • That's exactly what reCAPTCHA (which was acquired by Google) does. For example: screenshot of reCAPTCHA [wikimedia.org].

            Sigh... I need a better job...

        • by raymorris ( 2726007 ) on Thursday January 23, 2014 @10:04PM (#46053259) Journal

          If the captcha is easy enough for humans, 1 in 256 random chance is fine for many applications. I've designed several very successful captcha systems used on thousands of sites. There are two reasons I say 1 / 256 is often fine.

          First, let's consider one typical use case - blog spam. The spammer has a choice. He can spend this evening posting to 1,000 blogs with captchas, or the same amount of time post to 256,000 blogs without captchas. Which would you choose if you were a spammer? You choose the unprotected sites, of course. Sites without captchas get hundreds of times as much spam. Bad guys are by definition lazy, so they go after the low hanging fruit. Don't be low hanging fruit.

          In other use cases, there may not be direct competition. Still, there's a cost / benefit analysis. Let's say it costs 1 penny of resources to register and use a snapchat account in a way the generates 12 cents in revenue. Multiply the cost by 256 and it's no longer profitable to abuse the service.

          For most of our customers, the captcha is one part of a defense against brute force on the login screen. Assume that due to the other components of the system, you need 10,000 proxies to successfully brute force the login, because IPs banned after a dozen failed attempts. The captcha multiplies that by 256, so you now need over 2.5 MILLION proxies. I suspect that nobody has 2.5 million proxies to use. We have one of the largest lists of open proxies in the world, and even we don't have quite that many.

  • by Connie_Lingus ( 317691 ) on Thursday January 23, 2014 @04:43PM (#46050785) Homepage

    ...Mr. Hickson disappeared after 10 seconds.

    • by ackthpt ( 218170 )

      Nah. They'll buy him out.

      "OK, buy him out boys." CRUNCH CRACK SHATTER BREAK

      "I didnt become this rich by writing checks"

  • Hickson equates Snapchat's ghost very particular and calls it a template

    Why is the summary written in Chinglish?

    Oh wait, I know. It's because the submitter blindly copy-pasted it from the article and the editors don't give two shits about looking lazy and incompetent.

    hypnosec writes

    Can we please stop displaying this lie on practically every story? hynosec didn't write anything.

  • by Anonymous Coward

    1. Harness the power of horny teenagers by creating a free porn website that requires registration requiring a captcha, which is actually the redirected captcha of your target website.
    2. Pay a room full of Indians to enter captchas all day.
    You're welcome.

    • Actually, snapchat's captcha is so incredibly computer-friendly that writing a program to break it is probably the cheapest/easiest way for once. Seriously, it's like some sort of homework assignment from a computer vision class.

  • The desire to get access to jailbait will overcome all obstacles.
  • Less than a 100 lines???
    How many lines of code are in OpenCV?
    • Just one (if you remove the line feeds)

      • Wrong, I think you will find that most compilers will balk at any single line of code longer than 65 536 characters.
        I doubt OpenCV is that short.
        Also you forgot about the carriage returns. (Me being pedantic)
        But if we had to extend your reasoning to everything and ignore line limits then we could say that all the software in the world is a single line of code and we pay programmers too much for one line of code.

        I worked at a company that measured work progress by lines of code (LOC) stupid bloody idea

Do you suffer painful illumination? -- Isaac Newton, "Optics"

Working...