100 lines of code to Hack new Snapchat people verification

100 lines of code could hack new Snapchat people verification feature that displays nine images and requests new user to select the one containing a ghost.

Snapchat is considered by many security experts a case study on how a lack of security by design could hit a large community of users impacting their privacy, a few weeks ago Starbucks app exposed users’ data of millions customers to risk of theft.

Recently I’ve written a blog post on a couple of serious vulnerabilities in the photo messaging application Snapchat, the flaws were discovered by Gibson Security that revealed that using a couple of exploits known by the name The ‘Find Friends’ exploit and the ‘Bulk Registration’ Exploit it is possible to access to data belonging millions of users.

Unfortunately Snapchat has ignored the alerts provided by Gibson Security and a few weeks ago, it was published a website called SnapchatDB.info that reported personal data of 4.6 million Snapchat accounts including usernames and phone numbers.

“The stored data were available for download, the privacy of millions users of the application was violated.” I reported in my previous post.

At this point the situation became serious, and the company is due to run for cover, early 2014 Snapchat released an update to both iOS and Android apps, the intent was to add a new security feature to prevent the abuse of new user creation to recruit it as spambot.

During sign-in process Snapchat displays nine pictures and requests new user to select images containing a “ghost”.

But just after 24 hours a developer announced to have developed a program capable of cracking it. Another hacker, Steven Hickson, just after 30 minutes realized a script that can elude the Snapchat security improvement.

The hacker identifies an image pattern to recognize the Snapchat ghost.

“The problem with this is that the Snapchat ghost is very particular. You could even call it a template. For those of you familiar with template matching (what they are asking you to do to verify your humanity), it is one of the easier tasks in computer vision.”

“First, I extract the different images from the slide above, then I threshold them and the ghost template to find objects that are that color. Next, I extract feature points and descriptors from the test image and the template using SURF and match them using FLANN. I only use the “best” matches using a distance metric and then check all the matches for uniqueness to verify one feature in the template isn’t matching most of the test features. If the uniqueness is high enough and enough features are found, we call it a ghost.” he wrote in a blog post.

Hickson wrote a script to extract the exact shape of the Snapshot by matching it with the templates ha has defined, the algorithm he has identified is able to bypass Snapchat’s verification test with 100 percent accuracy.

“There is a ton of ways to do this using computer vision, all of them quick and effective. It’s a numbers game with computers and Snapchat’s verification system is losing.“

The code for the exploit is available on Github at the URL https://github.com/StevenHickson/FindTheGhost

It’s time to start to think about security by design phase to avoid problems like this, the incident is really serious because the security feature wasn’t properly tested.

Pierluigi Paganini

(Security Affairs – SnapChat, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.