Snapchat added an image-based security challenge to its account registration process to verify that new accounts are created by humans, but the system can easily be defeated by computers, experts said.
The new feature, known as a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), is part of a series of security-related changes made by the company this month following the disclosure of vulnerabilities that allowed attackers to match large sets of phone numbers to Snapchat accounts and to register new accounts in bulk. Hackers exploited the security holes to expose the user names and phone numbers of 4.6 million users of the popular mobile photo messaging service.
Since the beginning of the week, Snapchat presents users with a set of nine images when they attempt to register a new account and asks them to select only the images that contain a white ghost -- the same one used in the Snapchat logo. "Just making sure you're not a robot," the new Snapchat CAPTCHA screen says.
"The problem with this is that the Snapchat ghost is very particular," Steven Hickson, a research assistant at Georgia Institute of Technology said Wednesday in a blog post. "You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision."
Hickson said that it took him around 30 minutes to write some code that uses OpenCV -- the Open Source Computer Vision Library -- to solve one of Snapchat's CAPTCHA challenges reliably.
The code, which he published on Github, extracts the images from the CAPTCHA challenge and uses thresholding techniques to find objects in them that have the same color as the ghost template. It then extracts feature points and descriptors from those objects and compares them with similar data from the ghost template in order to find matches.
Hickson claims his code was able to find the ghost in one CAPTCHA challenge he tested with 100 percent accuracy. There are even better methods in computer vision that could be used to do the same thing, he said.
"I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong," Hickson said. "There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing."
David Lorenzi, a graduate research assistant at Rutgers Business School in Newark who researched attacks on image CAPTCHA systems in the past, agreed with Hickson's analysis.
Sign up for CIO Asia eNewsletters.