Snapchat's captcha-like user verification cracked less than an hour after release

Snapchat simply can’t catch a break. The self-destructing message service introduced a new captcha method for users to prove they’re not bots, but was in for an embarrassment when a hacker took barely an hour to discover a workaround against the measure.   In order to confirm that you’re not a bot but a real person now, Snapchat will display a cutesy version of the captcha. While in normal circumstances on websites and other services, you’re required to write words and numbers that appear on the screen, with Snapchat you need to simply select photos. Nine pictures will appear on the screen and some of them hide the Snapchat mascot, the ghost. Once selected correctly, the service will let you move forward. The move comes from Snapchat after it has come under fire from various quarters for its lax security measures on the website.   [caption id=“attachment_216797” align=“alignnone” width=“640”] Found the ghost! (Image credit: Steven Hickson)[/caption] TechCrunch reports that Graham Smith, a 16-year old hacker reportedly brought to Snapchat’s attention gaping holes and bugs in the service, just before it released this security measure. He pointed out that there was a flaw that left the Find Friends feature on Snapchat vulnerable, despite the patch that the company released. Snapchat was forced to take quick action after a hacker put usernames and phone numbers of 4.6 million users online.   Smith reportedly found more bugs and contacted Bobby Murphy, CTO of Snapchat, using leaked details to find his number. He realised that the fixed feature still made number verification an in-app feature, but no server-side checks were made. He contacted Murphy again to let him know the flaw. He went on to predict that Snapchat would end up using a Captcha-based system, and right on cue, Snapchat has released this feature.   The company in a statement said, “We appreciate the efforts of those who help identify vulnerabilities in our service and we continue to make significant progress in our efforts to secure Snapchat.”   However, this new arrangement too was in for some massive beating, when a hacker named Steven Hickson announced in his blog that he had managed to crack Snapchat’s captcha code in less than an hour. He created a template matching code, consisting of 100 lines only, and managed to circumvent Snapchat’s measures. He used a combination of OpenCV, SURF and FLANN to build the script. “With very little effort, my code was able to “find the ghost” in the above example with 100 percent accuracy. I’m not saying it is perfect, far from it,” Hickson wrote. “I’m just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It’s a numbers game with computers and Snapchat’s verification system is losing.”   Smith, too, tweeted that he had managed to circumvent the “Snaptcha” but hasn’t revealed details yet. For Snapchat’s sake, we hope finding the ghost was only a stop-gap security measure and not a permanent solution.