Snapchat’s New Verification System Already Hacked


Snapchat just can’t catch a break lately, and its users aren’t too happy.

The Snapchat team announced last week that it would be looking into complaints of large amounts of spam on the photo sharing app.

And over the last two days, it rolled out a new “ghost” verification screen in order to cut down on automated spam. The screen shows nine simple pictures, and users must select all the images containing the company’s ghost logo. Snapchat meant for the screen to be a less annoying version of a CAPTCHA in order to separate humans from nonhumans.

But the new security measure was barely live before people found one big issue with it: computers are able to find the ghost, too. Unlike standard CAPTCHAs, Snapchat’s human verification process could be rendered useless by implementing just a few simple lines of code.

Computer engineer Steven Hickson wrote in a blog post, “This is an incredibly bad way to verify someone is a person because it is such an easy problem for a computer to solve.”

Explaining how he hacked the new verification system, he wrote that the Snapchat ghost acts as a template, and that computers can easily find matching templates. He used a “thresholding” technique to determine how closely aspects of given images lined up with the ghost template.

Hickson’s program first looked for pieces of each image that were the same color as the ghost template. Then for each white blob found, the program extracted “feature points,” giving a partial outline of each blob. Were the white blobs unique, or did they line up with the template?

It took Hickson just 30 minutes to write the program. He summarizes:

With very little effort, my code was able to “find the ghost” in the above example with 100% accuracy. I’m not saying it is perfect, far from it. I’m just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It’s a numbers game with computers and Snapchat’s verification system is losing.

People who want to replicate Hickson’s results don’t even have to write their own code, as he was nice enough include a link to the full code from his blog.

It looks like it’ll be back to the drawing board for Snapchat’s security team.

This isn’t the only big security issue the company has had recently. Earlier this month, the app had a major security breach that affected 4.6 million users. The company’s solution to that issue was to allow users to opt out of the “Find Friends” feature, making their phone numbers unsearchable.