Snapchat Account Registration CAPTCHA Defeated

hypnosec writes "Snapchat's security troubles continue as a security researcher has managed to hack its account registration CAPTCHA system with a program of less than 100 lines that took 30 minutes to develop. Steve Hickson, a computer engineer by education, wrote a small computer program with very little effort that identifies Snapchat's ghost from the given set of images. Hickson equates Snapchat's ghost very particular and calls it a template that can be matched easily using a computer program. Hickson used a combination of Open Source Computer Vision Library (OpenCV), SURF points and FLANN matching "with a uniqueness test to determine that multiple keypoints in the training image weren't being singularly matched in the testing image.""

Re:3 Billion

[game kid]

A site with barely-broadcastable body pictures that end up disappearing from it and yet still end up preserved on other parts of the web?

I say it's already like MySpace.

Re:

[ackthpt]

Jane, how do I share this thing?!? Jaaaannne!

Is the future here yet? I feel like having toast.

Need

[Anonymous Coward]

I need this code because half the time I can't figure out what the capture characters are myself.

Re:

[bobjr94]

I would like a firefox captcha reading plugin

Re:

[Sockatume]

If you click through, it's not a conventional Captcha; it's the company's logo inserted into some cartoon images. The point of the article is that it's a trivial computer vision problem.

So What?

[Anonymous Coward]

So, what does this mean?

Disappearing spam?
A flood of dick picks?
Nothing at all?

"Hickson equates Snapchat's ghost very particular"

[Anonymous Coward]

EMFDYSI?

Re:

[MillionthMonkey]

EMFDYSI?

Fix his sentence by swapping two verbs and add a preposition:

"Hickson calls Snapchat's ghost very particular and equates it to a template that can be matched easily using a computer program."

See? I'm a human, man.

As for "EMDYSI?", I thought that was a CAPTCHA for a second and was about to prove my humanity with an eight-character response.

The mangled version is in the original

[Vainglorious Coward]

Note also that the hypnosec didn't "write" this submission - like the vast majority of submitters s/he simply copy& pasted the first two paragraphs from the fine article. In other words, both submitter and slashdot admin either didn't read it, or have terrible reading comprehension skills. Probably both.

CAPTCHAS

[LoRdTAW]

So is there a way you could randomly seed an algorithm to generate a ghost with some noise in its drawing to throw off the vision processing? I realize the ghost is their logo but distorting it randomly could help thwart such an attack. Or am I missing something?

Re:

[Desler]

Sure that would likely thwart it. The point is that it's currently crappily implemented.

Re:

[ackthpt]

Sure that would likely thwart it. The point is that it's currently crappily implemented.

Subject to change without notice .. after all, why do they need to tell anyone they are changing how anything works?

AmIHotOrNot

[MillionthMonkey]

One would think they would use an "AmIHotOrNot"-style CAPTCHA- show some snapped images, and ask "who would you most like to have sex with?"

Re:

[MillionthMonkey]

Actually, if you do a google image search and actually look at SnapChat's "CAPTCHA", [mashable.com] it's unbelievable, like a piece of work from the nineties.

It shows you nine images and asks you to select the ones where the ghost appears. (Random selections net 1 success in 512 right there, and they probably won't show you zero, one, eight, or nine ghosts, increasing success rates to 492 to 1.)

Notice that a ghost or its impostor is always the only white shape in the image. (Sometimes there are also a few white stars, moo

Re:

[michelcolman]

And then if it clicks on a computer in the background of one of the pictures, you know it's a bot.

Not a few lines of code -

[Anonymous Coward]

uses 3 well developed source libraries

Re:

[Anonymous Coward]

If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

Re:

[sexconker]

If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

And if you wish to be a "security researcher" you must never do any useful research, programming, or learning.

Captchas are dead, dead, dead

[Arrogant-Bastard]

I've been saying this for years -- here and elsewhere. Yet their foolish supporters continue to insist on using them, despite the steady parade of demonstration proofs showing that they're easily defeated. (I'm not going to bother with the catalog of links this time. Use a search engine. Read the items that show up on the first two pages of results -- that should be enough.)

Either you're defending an important resource or you're not. If you're not, then you don't need captchas and shouldn't use the

Re:

[TrollstonButterbeans]

The actual stupidity isn't CAPTCHAs. It is the use of a single method with very slight deviation.

"Here is our ONE single WAY we have thought of to secure this!" --- this is the fail.

Re:

[jonwil]

The best CAPTCHA type thing I have seen is one that displays one larger image and 4 smaller images and asks you to match the content of one of the smaller images to the larger image (e.g. "drag the plug to the socket").

Small problem set

[MillionthMonkey]

There are two problems with higher-order processing CAPTCHAs like that. One is the small problem set. A human at the website has to actually think of those connections between plugs and sockets, or umbrellas and rainstorms, or pizza and ovens, or hair and shampoo, etc. So the problem space is small. Then, blindly guessing answers still yields a decent success rate. Your particular example can be guessed with a success rate of 1 in 256.

Blurring a pair of words from a dictionary onto each other automatically generates millions of possible challenges, and random guessing won't work as well- at least some image analysis is needed.

My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

Re:

[Anonymous Coward]

My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

That's exactly what reCAPTCHA (which was acquired by Google) does. For example: screenshot of reCAPTCHA [wikimedia.org].

Re:

[MillionthMonkey]

That's exactly what reCAPTCHA (which was acquired by Google) does. For example: screenshot of reCAPTCHA [wikimedia.org].

Sigh... I need a better job...

I make captchas. 1/256 random is a good captcha

[raymorris]

If the captcha is easy enough for humans, 1 in 256 random chance is fine for many applications. I've designed several very successful captcha systems used on thousands of sites. There are two reasons I say 1 / 256 is often fine.

First, let's consider one typical use case - blog spam. The spammer has a choice. He can spend this evening posting to 1,000 blogs with captchas, or the same amount of time post to 256,000 blogs without captchas. Which would you choose if you were a spammer? You choose the unprotected sites, of course. Sites without captchas get hundreds of times as much spam. Bad guys are by definition lazy, so they go after the low hanging fruit. Don't be low hanging fruit.

In other use cases, there may not be direct competition. Still, there's a cost / benefit analysis. Let's say it costs 1 penny of resources to register and use a snapchat account in a way the generates 12 cents in revenue. Multiply the cost by 256 and it's no longer profitable to abuse the service.

For most of our customers, the captcha is one part of a defense against brute force on the login screen. Assume that due to the other components of the system, you need 10,000 proxies to successfully brute force the login, because IPs banned after a dozen failed attempts. The captcha multiplies that by 256, so you now need over 2.5 MILLION proxies. I suspect that nobody has 2.5 million proxies to use. We have one of the largest lists of open proxies in the world, and even we don't have quite that many.

after the hack, something odd happened...

[Connie_Lingus]

...Mr. Hickson disappeared after 10 seconds.

Re:

[ackthpt]

Nah. They'll buy him out.

"OK, buy him out boys." CRUNCH CRACK SHATTER BREAK

"I didnt become this rich by writing checks"

Why is the summary written in Chinglish?

[wonkey_monkey]

Hickson equates Snapchat's ghost very particular and calls it a template

Why is the summary written in Chinglish?

Oh wait, I know. It's because the submitter blindly copy-pasted it from the article and the editors don't give two shits about looking lazy and incompetent.

hypnosec writes

Can we please stop displaying this lie on practically every story? hynosec didn't write anything.

The 2 best ways to crack any Captchca...

[Anonymous Coward]

1. Harness the power of horny teenagers by creating a free porn website that requires registration requiring a captcha, which is actually the redirected captcha of your target website.
2. Pay a room full of Indians to enter captchas all day.
You're welcome.

Re:

[foobar bazbot]

Actually, snapchat's captcha is so incredibly computer-friendly that writing a program to break it is probably the cheapest/easiest way for once. Seriously, it's like some sort of homework assignment from a computer vision class.

Power of jailbait.

[meaty]

The desire to get access to jailbait will overcome all obstacles.

Less than a 100 lines???

[LordWabbit2]

Less than a 100 lines???
How many lines of code are in OpenCV?

Re:

[michelcolman]

Just one (if you remove the line feeds)

Re:

[LordWabbit2]

Wrong, I think you will find that most compilers will balk at any single line of code longer than 65 536 characters.
I doubt OpenCV is that short.
Also you forgot about the carriage returns. (Me being pedantic)
But if we had to extend your reasoning to everything and ignore line limits then we could say that all the software in the world is a single line of code and we pay programmers too much for one line of code.

I worked at a company that measured work progress by lines of code (LOC) stupid bloody idea