Snapchat Person Verification Defeated In <100 Lines Of Code


[Steven Hickson] woke up this morning to an article about the new person verification system Snapchat has implemented. Thirty minutes later he cracked it to be solved by a computer, in less than 100 lines of code (GitHub).

First a little background. About a month ago, 4.6 million Snapchat users had their information compromised by a security hole. In an attempt to bump up security, Snapchat has implemented a new person verification method to ensure new accounts aren’t created by computers.

The method? Picking out a white ghost from a series of nine images. Kind of like a cute, less annoying Captcha. The problem? It’s a terrible way to prove you are a person. It took [Steven] only 30 minutes to write a program that uses simple thresholding, SURF keypoints and FLANN matching to find the ghost. In his tests, he’s found the ghost with 100% accuracy. He also muses that there is an even more efficient way to do it, he was just too lazy to do it.

Nice try Snapchat.

53 thoughts on “Snapchat Person Verification Defeated In <100 Lines Of Code

    1. Good cause? Are you referring to helping Google identify house numbers from (street view) images as part of their mass-collection of data? Not that I care about that much avout the privacy aspect, but really, that seems like something _I_ should be paid for when doing.

      1. Not sure who doesn’t know this, but…

        In a captcha, or at least Google’s ones, there’s an unknown and a known element. You have solve the known one, because they check that. The unknown one is just Google taking advantage of you while you’re solving the captcha, to help them with their spying.

        In this case, the simple answer is, solve the captcha properly, but deliberately put the wrong number in for the house. Because I’d just as soon Google didn’t have the information. If enough people do it, it’ll hinder them. Even if they don’t, at least you’re not making the problem any worse.

        Stop being evil, Google!

          1. A wrong reply (for the unknown element) will still validate the captcha; Geekmaster is right in that it won’t likely affect the determination of that unknown element, because you’ll be out”voted”.

        1. Nice theory but absolutely false. The house number is the known element because street numbers are open and published information and the Google car knows where it was at the time of the picture. Nice attempt at Google bashing though.

        2. I thought the unknown was from their book-scanning effort, to effectively (and for free) get many eyes to look at the stuff OCR didnt make sense of and in that way fill out the ‘blanks’. Never put any thought into how many similiar answers would be needed for it to be acceptable (just assumed ‘a lot’) or into how much human checking of those answers there are (just assumed ‘not very much’).

      2. Yeah, it’s unfortunate – reCAPTCHA used to be used to help OCR Google Books… still Google, but at least it was for a good cause. The switch to house numbers really bugged me. Seems like they took out a large loan on the good will of people who backed the system from the beginning.

      3. Typical unwarranted American self-importance.

        It couldn’t POSSIBLY be that having accurate house numbers in Google Maps decreases the likelihood of someone being given incorrect directions.

        It couldn’t POSSIBLY be that this increase in accuracy could actually help you by ensuring that delivery drivers or shipping companies are actually able to find your house and don’t end up delivering your Arduino to a house two doors down instead.

        No, it surely must be Google SPYING on you, because heaven knows you’re so god damn interesting that people are just waiting for your house number to be digitized so that they can send the fucking Stasi over to your house. Because that sure is the most logical end result of this.

        Christ, you sound like the idiotic helicopter parents railing against Google Glass because people might be taking pictures of MAH BAYBEH!! Newsflash, jackass: That guy in the restaurant wearing Glass doesn’t give a shit about you personally, he’s more interested in taking photos of his meal because he mistakenly thinks his Twitter followers care. Google doesn’t give a shit about you personally, they’re more interested in ensuring that users of Google Maps don’t look up directions to Joe Schmoe’s house and end up at yours instead.

        Pull your head out of your ass and stop thinking that you’re such a Very Important Person.

        1. Agreed – without the hysteria though. OMG that man is wearing google glass, he COULD be taking pictures of me without me knowing!…yeah…he could… except that you’re probably as boring as everyone else out there. There are far more efficient tools at taking spy images than something you blatantly wear on your face.

      4. Poor trolling… Anyone can go with a GPS-enabled device and mark house numbers in OpenStreetMap. Now is *that* wrong? Moreover, they can just go and ask the officials to give/sell this data. It’s public.

  1. I had a little google but i guess i’m missing the proper term to use, are the verifications who ask a written out question like for example “what is the even number in 11, fifty-four , 33 , nine” type in any way hard to get around with scripting ?
    I do find them in any case less annoying than those “unreadable (for OCR and in many cases my eyes) text” captcha’s.

    1. Not at all. Recognizing English numbers is easy, and the pool of questions (like “what is the even number”) is likely to be small enough for any site that each one can be detected and handled by a script. The basis of any CAPTCHA test (visual or not) needs to be something that computers are fundamentally bad at, and word problems don’t fall into that category.

  2. What are CAPTCHAs but reverse Turing tests?
    why not a reverse-reverse Turing test, a ‘Turing Test’ if you will

    connect a user to either another user or a fake user and allow conversation
    after a short period allow user to choose human or computer.
    if user correctly identifies computer then continue
    if user is connected to another user, the second user’s access depends on first users answer.

    run the test 100 or so times to avoid malicious users, define a suitable pass threshold.
    bonus: majority of malicious users will essentially kill all submissions. the masses have spoken. Take this as a sign that you should give up hope for a productive system and shut it down

    the only problem i can see is the massive increase in authentication time, but it is a price we must accept for anonymous posting free of some purely computer generated spam

    1. Besides the massively increased time-wasting, the amount of rape threats, murder threats, religious babble and gods know what other sort of lunacy this thing would invite, would kill it dead in minutes. What you’d be doing is adding an event to the trolling olympics.

      The other main problem is that many real people are stupider and less capable of a realistic conversation than a modern computer.

      1. “The other main problem is that many real people are stupider and less capable of a realistic conversation than a modern computer.”

        Delete the words other and main, one ends up with statement that has universal use. That edit is going into my text file of useful quotes, thanks.

  3. Computers are great for recognizing patterns if you know exactly what you will be looking for.

    But even without any fancy scripting, just select one of the nine possible answers at random, and you’ll still be right 11% of the time; I’d think that’s good enough for spammer and other scum. You could even improve the rate a bit by selecting one of the pictures with the most white surface area.

    This kind of “validation” is nothing short of retarded. Besides, a hacker that can find and exploit a serious security hole would probably need only one account, and is most likely capable of creating one manually. I don’t see what this would have to do with security.

    1. It only serves a protective purpose while it is novel (and to a certain degree for sites with little to no traffic – targets not worth the effort if my automated spam script cant get in)

      Though not entirely the same situation, but remember when car-alarms were new? holy shit people jumped and yelled if they heard one, it was a great deterrent and effective re-active security. Today nobody even turns if they hear it. so the thieves are barely bothered by it (before it was popular with car-alarms, a thief would just move on to the next car without an alarm, unless he was interrested in that particular car – in which case he might put more effort into getting (into) it – pretty much the same with sites)

      You can cut down on spam on unimportant sites simply by asking a static question (or better by using a variable captcha of some kind), but on popular worthwhile targets the spammers could find it financially viable to hire people to manually create accounts and spam all day (no captcha system can stop that.) and/or build databases of answers or find other ways to increase positive hits. The better a target, the more manual labour is worthwhile – to the point where its worthwhile for a large team of highly skilled hackers/spammers workin 24/7 on the same target/site.

      Captcha does not solve the issue of spamming accounts. it solves the issue of todays automated tools getting into your site. but not any kind of concentrated effort. Using it to verify if someone is a person is pointless to the antispam effort, because even if it did work 100%, all spam originates from a person at some point, they just need to adjust their strategy (or update their scripts occasionally) if they deem your site worthwhile.

  4. I humbly suggest a grammar Nazi captcha:

    You walk ______ dog so it can do ____ business (but _____ pretty sure _____ neighbors would prefer if it wasn’t done in _____ yards)
    (your/you’re/yore) (its/it’s) (your/you’re/yore) (your/you’re/yore) (there/their/they’re)

    1. You run into an issue also seen with captchas; human/cultural differences – your specific problem would be you assume everyone on a site are native english speakers (and educated dittos). That might be fine for your private site, but it wont work for Snapchat.

      I remember reading about issues with some sites asking for people to judge the emotions of a person in a picture – and that can be very hard if you are not of the same race and culture as the pictured person.

      Your example is very biased towards you and your own culture/language (some would say “typical selfish american attitute”. almost insultingly so. but i forgive you because you have a cute bushy tail and those innocent looking eyes… :-)

  5. Yes, Snapchat, please invent your own security system to keep the bad people out, because that TOTALLY worked for your API.

    Seriously… We already have tools that work. Why do people insist on poorly reinventing the wheel? Again. And again. And again….

    1. Hundreds of thousands of lines of code that are run under an operating system that has, what, millions of lines of code or more? If only Snapchat had used an existing library instead of rolling their own, their thing might be more secure with less work too.

  6. The worst capchas were the rapidshare ‘cat’ ones

    With a large enough library of non-web-indexed photos, ‘pick the (random animal/object)’ from a 5×5 grid, one containing the object, would probably work and be quicker than re-captcha.
    Taking into account cultural differences. E.g I hear US peeps aren’t familiar with the electric kettle (kitchen appliance specifically for boiling 2-3L of water). Whereas it would be very uncommon for a house in the UK to not have one.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.