Snapchat’s security issues are aplenty, and the latest attempt to keep out the robots with the app’s mascot ghost was no real deterrent for hackers. The app introduced the new feature on Wednesday – users had to select illustrations with the ghost mascot in order to proceed as a real person. Unfortunately, since the ghost is a repeating image with no real geometrical changes, a simple image detection hack took a developer less than one hour to crack.
In a blog post about the techniques, computer programmer, Steven Hickson said he was able to hack the app’s Ghost Captchas in less than 100 lines in about one hour:
First, I extract the different images from the slide above, then I threshold them and the ghost template to find objects that are that color. Next, I extract feature points and descriptors from the test image and the template using SURF and match them using FLANN. I only use the “best” matches using a distance metric and then check all the matches for uniqueness to verify one feature in the template isn’t matching most of the test features. If the uniqueness is high enough and enough features are found, we call it a ghost.
With very little effort, my code was able to “find the ghost” in the above example with 100% accuracy.
Here’s what that computer matching looks like in action:
Surely Snapchat can do better, but it seems like the startup is just toying around with security, and not really taking it seriously.