Snapchat added an image-based security challenge to its account registration process to verify that new accounts are created by humans, but the system can easily be defeated by computers, experts said.
The new feature, known as a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is part of a series of security-related changes made by the company this month following the disclosure of vulnerabilities that allowed attackers to match large sets of phone numbers to Snapchat accounts and to register new accounts in bulk. Hackers exploited the security holes to expose the user names and phone numbers of 4.6 million users of the popular mobile photo messaging service.
Since the beginning of the week, Snapchat presents users with a set of nine images when they attempt to register a new account and asks them to select only the images that contain a white ghost -- the same one used in the Snapchat logo. "Just making sure you're not a robot," the new Snapchat CAPTCHA screen says.
"The problem with this is that the Snapchat ghost is very particular," Steven Hickson, a research assistant at Georgia Institute of Technology said Wednesday in a blog post. "You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision."
Hickson said that it took him around 30 minutes to write some code that uses OpenCV -- the Open Source Computer Vision Library -- to solve one of Snapchat's CAPTCHA challenges reliably.
The code, which he published on Github, extracts the images from the CAPTCHA challenge and uses thresholding techniques to find objects in them that have the same color as the ghost template. It then extracts feature points and descriptors from those objects and compares them with similar data from the ghost template in order to find matches.
Hickson claims his code was able to find the ghost in one CAPTCHA challenge he tested with 100 percent accuracy. There are even better methods in computer vision that could be used to do the same thing, he said.
"I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong," Hickson said. "There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing."
David Lorenzi, a graduate research assistant at Rutgers Business School in Newark who researched attacks on image CAPTCHA systems in the past, agreed with Hickson's analysis.
"The key takeaway is that the [Snapchat] CAPTCHA simply has too low of a variation in its challenges -- images featuring a ghost -- to provide effective security," Lorenzi said Thursday via email. "I suspect Snapchat used a template based image generator in the creation of these picture challenges as it would provide an effective and efficient means to easily generate a large number of 'unique challenges' in an attempt to prevent an attacker from launching a database attack against it. Sadly, this also means that the images generated in this fashion are weak against the method Steve [Hickson] is using."
Lorenzi hopes this case will inspire other developers to be more concerned about their CAPTCHA implementations so they can make online services safer for everyone.
Traditional text-based CAPTCHAs have a high level of variation and are even a bit hard for people to solve and that's because computers can read text very well using OCR (optical character recognition), Hickson said Thursday via email. "These days, we can do most template matching almost as well."
Snapchat should either use a well known and tested text-based CAPTCHA implementation like reCAPTCHA or should design their challenges to have a very complex answer, Hickson said. The idea is to have a question that has a large variety of possible answers and only a correct one, but Snapchat's CAPTCHA challenge is effectively nine yes-or-no questions.
Unfortunately text-based CAPTCHAs are not very user friendly on touch-enabled devices, which is probably why Snapchat chose an implementation that involves images selection.
However, Lorenzi pointed out that researchers have already designed secure touch-friendly CAPTCHAs. "My suggestion to Snapchat, if they are truly concerned with user security, is that they should scrap their current system and implement a system similar to the one suggested in this paper," he said.
Snapchat did not immediately respond to a request for comment.