Security researcher shows that the service’s new “find the ghost” system to prove that you’re a human and not a bot can be easily tricked.
January 22, 2014 7:26 PM PST
Steve Hickson’s graphic shows points on a Snapchat ghost extracted from its image recognition system that his script matched against a Snapchat ghost template he created.
(Credit: Steve Hickson)
In about the time it takes to order of one of those vile pizza replicas from Domino’s, one security researcher has proven how Snapchat’s new verification system can be hacked.
BlackBerry may have some life left with Pentagon order
Snapchat now makes sure you’re a real person
Secrets and lies: Whisper and the return of the anonymous app
Snapchat apologizes for jump in spam
Snapchat: OK, OK, we’re sorry
Steve Hickson used his knowledge of how computers recognize images and template matching to show how a computer could fool Snapchat’s new Captcha-style image verification that debuted on Wednesday.
“I spent around 30 minutes writing up some code” to perform the automated recognition and selection task, Hickson said. “With very little effort, my code was able to ‘find the ghost’ in the above example with 100 percent accuracy.”
He explained that after “<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fen.wikipedia.org%2Fwiki%2FThresholding_%2528image_processing%2529%22%3Ethresholding%3C%2Fa%3E" them, which separates an image into color segments, he created feature points on the original ghost template and had his script look for matches in the extracted images.
“If the uniqueness is high enough and enough features are found, we call it a ghost,” he said.
Snapchat did not immediately return a request for comment. CNET will update the story when we hear back from them.
When it comes to security, Snapchat has had a rough time of late.
The company’s user database was hacked, exposing the usernames and phone numbers of 4.6 million users, and a 16-year-old texted Snapchat Chief Technology Officer Bobby Murphy’s phone to prove that the system was still insecure.