Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Snapchat Account Registration CAPTCHA Defeated

timothy posted about 9 months ago | from the take-a-picture-it'll-last-longer dept.

Encryption 52

hypnosec writes "Snapchat's security troubles continue as a security researcher has managed to hack its account registration CAPTCHA system with a program of less than 100 lines that took 30 minutes to develop. Steve Hickson, a computer engineer by education, wrote a small computer program with very little effort that identifies Snapchat's ghost from the given set of images. Hickson equates Snapchat's ghost very particular and calls it a template that can be matched easily using a computer program. Hickson used a combination of Open Source Computer Vision Library (OpenCV), SURF points and FLANN matching "with a uniqueness test to determine that multiple keypoints in the training image weren't being singularly matched in the testing image.""

cancel ×

52 comments

Sorry! There are no comments related to the filter you selected.

3 Billion (0)

Anonymous Coward | about 9 months ago | (#46050247)

Wow what a deal for that company! How soon until it ends up like MySpace?

Re:3 Billion (3, Funny)

game kid (805301) | about 9 months ago | (#46050355)

A site with barely-broadcastable body pictures that end up disappearing from it and yet still end up preserved on other parts of the web?

I say it's already like MySpace.

Re:3 Billion (1)

ackthpt (218170) | about 9 months ago | (#46050943)

Jane, how do I share this thing?!? Jaaaannne!

Is the future here yet? I feel like having toast.

Need (5, Insightful)

Anonymous Coward | about 9 months ago | (#46050285)

I need this code because half the time I can't figure out what the capture characters are myself.

Re:Need (2)

bobjr94 (1120555) | about 9 months ago | (#46054021)

I would like a firefox captcha reading plugin

Re:Need (2)

Sockatume (732728) | about 9 months ago | (#46054587)

If you click through, it's not a conventional Captcha; it's the company's logo inserted into some cartoon images. The point of the article is that it's a trivial computer vision problem.

So What? (1)

Anonymous Coward | about 9 months ago | (#46050295)

So, what does this mean?

Disappearing spam?
A flood of dick picks?
Nothing at all?

"Hickson equates Snapchat's ghost very particular" (1)

Anonymous Coward | about 9 months ago | (#46050327)

EMFDYSI?

Re:"Hickson equates Snapchat's ghost very particul (2)

MillionthMonkey (240664) | about 9 months ago | (#46050703)

EMFDYSI?

Fix his sentence by swapping two verbs and add a preposition:

"Hickson calls Snapchat's ghost very particular and equates it to a template that can be matched easily using a computer program."

See? I'm a human, man.

As for "EMDYSI?", I thought that was a CAPTCHA for a second and was about to prove my humanity with an eight-character response.

The mangled version is in the original (1)

Vainglorious Coward (267452) | about 9 months ago | (#46051117)

Note also that the hypnosec didn't "write" this submission - like the vast majority of submitters s/he simply copy& pasted the first two paragraphs from the fine article. In other words, both submitter and slashdot admin either didn't read it, or have terrible reading comprehension skills. Probably both.

CAPTCHAS (3, Insightful)

LoRdTAW (99712) | about 9 months ago | (#46050351)

So is there a way you could randomly seed an algorithm to generate a ghost with some noise in its drawing to throw off the vision processing? I realize the ghost is their logo but distorting it randomly could help thwart such an attack. Or am I missing something?

Re:CAPTCHAS (0)

Anonymous Coward | about 9 months ago | (#46050377)

You're missing that it's a stupid captcha.

Re:CAPTCHAS (1)

Desler (1608317) | about 9 months ago | (#46050569)

Sure that would likely thwart it. The point is that it's currently crappily implemented.

Re:CAPTCHAS (1)

ackthpt (218170) | about 9 months ago | (#46050949)

Sure that would likely thwart it. The point is that it's currently crappily implemented.

Subject to change without notice .. after all, why do they need to tell anyone they are changing how anything works?

Now do it for 4chan (0)

Anonymous Coward | about 9 months ago | (#46050395)

Google turned on hardmode recently and now everyone's getting their solutions rejected.

AmIHotOrNot (2)

MillionthMonkey (240664) | about 9 months ago | (#46050495)

One would think they would use an "AmIHotOrNot"-style CAPTCHA- show some snapped images, and ask "who would you most like to have sex with?"

Re:AmIHotOrNot (0)

Anonymous Coward | about 9 months ago | (#46051433)

Any 1 in 10 or even 1 in 100 is trivially defeatable by a botnet.

Re:AmIHotOrNot (2)

MillionthMonkey (240664) | about 9 months ago | (#46051965)

Actually, if you do a google image search and actually look at SnapChat's "CAPTCHA", [mashable.com] it's unbelievable, like a piece of work from the nineties.

It shows you nine images and asks you to select the ones where the ghost appears. (Random selections net 1 success in 512 right there, and they probably won't show you zero, one, eight, or nine ghosts, increasing success rates to 492 to 1.)

Notice that a ghost or its impostor is always the only white shape in the image. (Sometimes there are also a few white stars, moons, etc.) To improve from random guessing, isolate the white blob, select its center of mass, transform the outline into polar coordinates, perform a Fourier transform, prepare a vector from the Fourier coefficients, and all the ghosts will cluster together in that vector space. (There will also be a star cluster, an apple cluster, a tree trunk cluster, a top hat cluster, a full moon cluster, etc.)

Re:AmIHotOrNot (1)

michelcolman (1208008) | about 9 months ago | (#46054291)

And then if it clicks on a computer in the background of one of the pictures, you know it's a bot.

consider it an aid for dyslexia (0)

Anonymous Coward | about 9 months ago | (#46050583)

i hate captchas because of my dyslexia. I don't think I have ever gotten one right first try. My suggestion is to post this software not a a hack or a breach, but sell ti as an aid to persons with disabilities who cannot handle captchas. Play your cards right, you 'll likely even get a government subsidy for it oo.

Not a few lines of code - (4, Insightful)

Anonymous Coward | about 9 months ago | (#46050607)

uses 3 well developed source libraries

Re:Not a few lines of code - (0)

Anonymous Coward | about 9 months ago | (#46051141)

indeed. This and that 30 minutes for 100 lines of code. That makes 3 lines per minute. A genius! or copy paste monkey with some basic intelligence.

Not a genius (0)

Anonymous Coward | about 9 months ago | (#46059329)

Not a genius to be sure - at least not from this test. But it does prove he is a highly competent computer vision engineer. I would not even know which 3 libraries to use, much less been able to find, configure, link together and debug a working solution in 30 minutes.

As others have said, the point isn't that the guy is a genius or is program is ground breaking. The point is that this Captcha is futile and snapchat is dumb for relying on it.

Captcha: I can't even read the fucker, but I wanted to put that extra bit of irony in my post.

Re:Not a few lines of code - (2, Insightful)

Anonymous Coward | about 9 months ago | (#46051463)

If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

Re:Not a few lines of code - (1)

sexconker (1179573) | about 9 months ago | (#46051681)

If you wish to make an apple pie from scratch, you must first invent the universe. --Carl Sagan

And if you wish to be a "security researcher" you must never do any useful research, programming, or learning.

Crapcha! (0)

Anonymous Coward | about 9 months ago | (#46050613)

'nuff said

The pool of piss... (0)

Anonymous Coward | about 9 months ago | (#46050697)

...is open for more piss.

Security is always a social problem. Succeding with technical implementations is just a way of saying, "I'm not important enough for anyone to waste effort on me."

Captchas are dead, dead, dead (1)

Arrogant-Bastard (141720) | about 9 months ago | (#46050717)

I've been saying this for years -- here and elsewhere. Yet their foolish supporters continue to insist on using them, despite the steady parade of demonstration proofs showing that they're easily defeated. (I'm not going to bother with the catalog of links this time. Use a search engine. Read the items that show up on the first two pages of results -- that should be enough.)

Either you're defending an important resource or you're not. If you're not, then you don't need captchas and shouldn't use them. If you are, then the first person who decides that your resource is worth the trouble will break your captchas, either by code, by brute force, by co-opted masses or by some combination of those. You have no shot. NONE. If you think so, then you didn't perform the exercise I suggest in the last paragraph.)

A defense that is known-broken is not a defense at all.

Re:Captchas are dead, dead, dead (2)

TrollstonButterbeans (2914995) | about 9 months ago | (#46050951)

The actual stupidity isn't CAPTCHAs. It is the use of a single method with very slight deviation.

"Here is our ONE single WAY we have thought of to secure this!" --- this is the fail.

Re:Captchas are dead, dead, dead (1)

jonwil (467024) | about 9 months ago | (#46051051)

The best CAPTCHA type thing I have seen is one that displays one larger image and 4 smaller images and asks you to match the content of one of the smaller images to the larger image (e.g. "drag the plug to the socket").

Small problem set (3, Interesting)

MillionthMonkey (240664) | about 9 months ago | (#46052245)

There are two problems with higher-order processing CAPTCHAs like that. One is the small problem set. A human at the website has to actually think of those connections between plugs and sockets, or umbrellas and rainstorms, or pizza and ovens, or hair and shampoo, etc. So the problem space is small. Then, blindly guessing answers still yields a decent success rate. Your particular example can be guessed with a success rate of 1 in 256.

Blurring a pair of words from a dictionary onto each other automatically generates millions of possible challenges, and random guessing won't work as well- at least some image analysis is needed.

My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

Re:Small problem set (1)

Anonymous Coward | about 9 months ago | (#46052837)

My own idea for a CAPTCHA is to use images from Google Street View. Show random street view images of a bunch of houses, and ask, "what's the house number"? That would probably take a while to crack, long enough for me to dump my startup site's shares before all the porn gets leaked- if not for those assholes at Google interfering.

That's exactly what reCAPTCHA (which was acquired by Google) does. For example: screenshot of reCAPTCHA [wikimedia.org] .

Re:Small problem set (1)

MillionthMonkey (240664) | about 9 months ago | (#46053289)

That's exactly what reCAPTCHA (which was acquired by Google) does. For example: screenshot of reCAPTCHA [wikimedia.org].

Sigh... I need a better job...

I make captchas. 1/256 random is a good captcha (3, Insightful)

raymorris (2726007) | about 9 months ago | (#46053259)

If the captcha is easy enough for humans, 1 in 256 random chance is fine for many applications. I've designed several very successful captcha systems used on thousands of sites. There are two reasons I say 1 / 256 is often fine.

First, let's consider one typical use case - blog spam. The spammer has a choice. He can spend this evening posting to 1,000 blogs with captchas, or the same amount of time post to 256,000 blogs without captchas. Which would you choose if you were a spammer? You choose the unprotected sites, of course. Sites without captchas get hundreds of times as much spam. Bad guys are by definition lazy, so they go after the low hanging fruit. Don't be low hanging fruit.

In other use cases, there may not be direct competition. Still, there's a cost / benefit analysis. Let's say it costs 1 penny of resources to register and use a snapchat account in a way the generates 12 cents in revenue. Multiply the cost by 256 and it's no longer profitable to abuse the service.

For most of our customers, the captcha is one part of a defense against brute force on the login screen. Assume that due to the other components of the system, you need 10,000 proxies to successfully brute force the login, because IPs banned after a dozen failed attempts. The captcha multiplies that by 256, so you now need over 2.5 MILLION proxies. I suspect that nobody has 2.5 million proxies to use. We have one of the largest lists of open proxies in the world, and even we don't have quite that many.

after the hack, something odd happened... (4, Funny)

Connie_Lingus (317691) | about 9 months ago | (#46050785)

...Mr. Hickson disappeared after 10 seconds.

Re:after the hack, something odd happened... (1)

ackthpt (218170) | about 9 months ago | (#46050979)

Nah. They'll buy him out.

"OK, buy him out boys." CRUNCH CRACK SHATTER BREAK

"I didnt become this rich by writing checks"

Ravi Mandalia (0)

Anonymous Coward | about 9 months ago | (#46050985)

So is slashdot just link aggregation for hypnosec.

there's a reason they turned down 3 billion... (0)

Anonymous Coward | about 9 months ago | (#46051019)

because they don't want anyone to see what a shitty, insecure, GPL violating, hacked together piece of shit the code is.

was research funded by... (0)

Anonymous Coward | about 9 months ago | (#46051083)

facebook?

you do not turn me down. --m.zuckerberg

Why is the summary written in Chinglish? (1)

wonkey_monkey (2592601) | about 9 months ago | (#46051201)

Hickson equates Snapchat's ghost very particular and calls it a template

Why is the summary written in Chinglish?

Oh wait, I know. It's because the submitter blindly copy-pasted it from the article and the editors don't give two shits about looking lazy and incompetent.

hypnosec writes

Can we please stop displaying this lie on practically every story? hynosec didn't write anything.

Re:Why is the summary written in Chinglish? (0)

Anonymous Coward | about 9 months ago | (#46053729)

Hickson equates Snapchat's ghost very particular and calls it a template

Why is the summary written in Chinglish?

Oh wait, I know. It's because the submitter blindly copy-pasted it from the article and the editors don't give two shits about looking lazy and incompetent.

hypnosec writes

Can we please stop displaying this lie on practically every story? hynosec didn't write anything.

LOL, I get modded down for that.. after already having 0...

They just ran a story about the former creator of slashdot creating an app where you can choose your news topics. In that article they pretty much praised themselves as great editors thus I found your comment funny, but true.... They've become the status quo sensationalizing media, it should be more of an underground type media source trying to just keep simple truth, I bitched about this before, if they had news topics, and kept with there original "Nerdy" stories this site would be by far very popular.

Of course dropping editors that seem not to care in checking out submitted stories, and 'editing' out the lying BS would have to be part of that...

The 2 best ways to crack any Captchca... (1)

Anonymous Coward | about 9 months ago | (#46051207)

1. Harness the power of horny teenagers by creating a free porn website that requires registration requiring a captcha, which is actually the redirected captcha of your target website.
2. Pay a room full of Indians to enter captchas all day.
You're welcome.

Re:The 2 best ways to crack any Captchca... (1)

foobar bazbot (3352433) | about 9 months ago | (#46052153)

Actually, snapchat's captcha is so incredibly computer-friendly that writing a program to break it is probably the cheapest/easiest way for once. Seriously, it's like some sort of homework assignment from a computer vision class.

Power of jailbait. (1)

meaty (809792) | about 9 months ago | (#46051489)

The desire to get access to jailbait will overcome all obstacles.

Why do "researchers" bother with captchas (0)

Anonymous Coward | about 9 months ago | (#46051605)

Why do "researchers" spend their time cracking captchas on commercial sites? Everyone knows they can be cracked with enough effort and time, with the goal generally being to make it too hard for the spammers to bother. Here is just seems that the researchers are doing the spammers work for them and not actually contributing anything of value.

At the end of the day this work is a net negative to society since it does not benefit the general public, does not benefit snapchat, and does not benefit snapchat's users. The only ones who benefit are the spammers.

they should have used slashdot's captcha (0)

Anonymous Coward | about 9 months ago | (#46051857)

you know, the one with like five words that repeat over and over again

Words missing from TFS?! (0)

Anonymous Coward | about 9 months ago | (#46053179)

From TFS: "Hickson equates Snapchat's ghost very particular and calls it a template that can be matched easily using a computer program."

I"m sorry, what????

Less than a 100 lines??? (2)

LordWabbit2 (2440804) | about 9 months ago | (#46054103)

Less than a 100 lines???
How many lines of code are in OpenCV?

Re:Less than a 100 lines??? (2)

michelcolman (1208008) | about 9 months ago | (#46054301)

Just one (if you remove the line feeds)

Re:Less than a 100 lines??? (1)

LordWabbit2 (2440804) | about 9 months ago | (#46071567)

Wrong, I think you will find that most compilers will balk at any single line of code longer than 65 536 characters.
I doubt OpenCV is that short.
Also you forgot about the carriage returns. (Me being pedantic)
But if we had to extend your reasoning to everything and ignore line limits then we could say that all the software in the world is a single line of code and we pay programmers too much for one line of code.

I worked at a company that measured work progress by lines of code (LOC) stupid bloody idea that only a non programmer could come up with.
I have never come across more long ass winded code in my entire life.
Some calculation which could be done one one line took seven (or more)
Instead of refactoring common code into a function it was copy / pasted everywhere to bulk up LOC!
Suffice to say small changes to the common code was fraught with errors as one set of code was updated and a missed in a couple other places while digging through millions of lines of verbose code
Whoever came up with the idea of LOC as a measurement should be buried under the lines of redundant code it produced.

"a computer engineer by education" (0)

Anonymous Coward | about 9 months ago | (#46057507)

Huh? He's "a computer engineer by education"? Was this summary computer generated? No one says or writes "a computer engineer by education"!

My captcha is way cooler (0)

Anonymous Coward | about 9 months ago | (#46078203)

I've made a captcha in which you have to click on a "meme"

u can see it at work tryin to signup here http://esfriki.com/

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?