"The key takeaway is that the [Snapchat] CAPTCHA simply has too low of a variation in its challenges -- images featuring a ghost -- to provide effective security," Lorenzi said Thursday via email. "I suspect Snapchat used a template based image generator in the creation of these picture challenges as it would provide an effective and efficient means to easily generate a large number of 'unique challenges' in an attempt to prevent an attacker from launching a database attack against it. Sadly, this also means that the images generated in this fashion are weak against the method Steve [Hickson] is using."
Lorenzi hopes this case will inspire other developers to be more concerned about their CAPTCHA implementations so they can make online services safer for everyone.
Traditional text-based CAPTCHAs have a high level of variation and are even a bit hard for people to solve and that's because computers can read text very well using OCR (optical character recognition), Hickson said Thursday via email. "These days, we can do most template matching almost as well."
Snapchat should either use a well known and tested text-based CAPTCHA implementation like reCAPTCHA or should design their challenges to have a very complex answer, Hickson said. The idea is to have a question that has a large variety of possible answers and only a correct one, but Snapchat's CAPTCHA challenge is effectively nine yes-or-no questions.
Unfortunately text-based CAPTCHAs are not very user friendly on touch-enabled devices, which is probably why Snapchat chose an implementation that involves images selection.
However, Lorenzi pointed out that researchers have already designed secure touch-friendly CAPTCHAs. "My suggestion to Snapchat, if they are truly concerned with user security, is that they should scrap their current system and implement a system similar to the one suggested in this paper," he said.
Snapchat did not immediately respond to a request for comment.
Sign up for CIO Asia eNewsletters.