Snapchat, the recently hacked mobile photo-sharing service, has introduced two new features to improve the overall security of its apps, out of which, one has been hacked within an hour of its release.
The company introduced a new picture-based security layer called 'find the ghost' to prevent bots from creating several dummy accounts that can potentially be used to procure user phone numbers. As it is like an image-based captcha security in function, the feature was humorously termed 'Snaptcha' by TechCrunch, which first reported the feature. According to the report, the feature was introduced after the discovery that some bots can successfully go through the company's regular captcha-security feature.
The new layer of security shows nine images to its new users while they create their accounts. Out of those nine images, the user would have to identify only those images which show Snapchat's ghost mascot. Snapchat created the 'ghost' security feature with the hope that bots would not be able to successfully identify the right images.
Additionally the photo-messaging service has also started server-side checks to ensure that the those users who use the Find Friends feature are real people with verified phone numbers. This security feature is meant to reduce the number of spammers and scammers dropping down the possibilities of hacking. However, users still not sure about this feature, can unlink their phone numbers to stay safe.
While Snapchat implemented the image-recognition based security layer, Steven Hickson, a computer science graduate student at Georgia Tech, has come up with a '100 lines of code' that can beat the image-based security layer. The news came from Hickson's blog.
The technique (seen in the image below) is said to find the best match between the nine ghost-check Snapchat pictures and the reference images, thereby with some accuracy choosing the pictures that actual contain the Snapchat ghost mascot. Interestingly, Hickson has in the past worked in the fields of computer vision and robot perception, which undoubtedly were handy when coding the Snaptcha-beater. This also makes him slightly more qualified to program such a bot than the average hacker, giving some slight credit back to Snapchat developers for having thought Snaptcha would have worked.
Hickson, on his blog says:
With very little effort, my code was able to "find the ghost" in the above example with 100% accuracy. I'm not saying it is perfect, far from it. I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing.
It is not clear whether a fix for the hack will be addressed by the company or not, as the company as not responded. Additional security features for the messaging service are said to be on the way.