Pierluigi Paganini January 25, 2014

100 lines of code could hack new Snapchat people verification feature that displays nine images and requests new user to select the one containing a ghost.

Snapchat is considered by many security experts a case study on how a lack of security by design could hit a large community of users impacting their privacy, a few weeks ago Starbucks app exposed users’ data of millions customers to risk of theft.

Recently I’ve written a blog post on a couple of serious vulnerabilities in the photo messaging application Snapchat, the flaws were discovered by Gibson Security that revealed that using a couple of exploits known by the name The ‘Find Friends’ exploit and the ‘Bulk Registration’ Exploit it is possible to access to data belonging millions of users.

Unfortunately Snapchat has ignored the alerts provided by Gibson Security and a few weeks ago, it was published a website called SnapchatDB.info  that reported personal data of 4.6 million Snapchat accounts including usernames and phone numbers.

“The stored data were available for download, the privacy of millions users of the application was violated.” I reported in my previous post.

At this point the situation became serious, and the company is due to run for cover, early 2014 Snapchat released an update to both iOS and Android apps, the intent was to add a new security feature to prevent the abuse of new user creation to recruit it as spambot.

During sign-in process Snapchat displays nine pictures and requests new user to select images containing a “ghost”.

But just after 24 hours a developer announced to have developed a program capable of cracking it. Another hacker, Steven Hickson, just after 30 minutes realized a script that can elude the Snapchat security improvement.

The hacker identifies an image pattern to recognize the Snapchat ghost.

“The problem with this is that the Snapchat ghost is very particular. You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision.”

“First, I extract the different images from the slide above, then I threshold them and the ghost template to find objects that are that color. Next, I extract feature points and descriptors from the test image and the template using SURF and match them using FLANN. I only use the “best” matches using a distance metric and then check all the matches for uniqueness to verify one feature in the template isn’t matching most of the test features. If the uniqueness is high enough and enough features are found, we call it a ghost.” he wrote in a blog post.

Hickson wrote a script to extract the exact shape of the Snapshot by matching it with the templates ha has defined, the algorithm he has identified is able to bypass Snapchat’s verification test with 100 percent accuracy.

“There is a ton of ways to do this using computer vision, all of them quick and effective. It’s a numbers game with computers and Snapchat’s verification system is losing.“

The code for the exploit is available on Github at the URL https://github.com/StevenHickson/FindTheGhost

It’s time to start to think about security by design phase to avoid problems like this, the incident is really serious because the security feature wasn’t properly tested.

Pierluigi Paganini

(Security Affairs –  SnapChat, hacking)