Skip to main content

New SnapChat Verification System Defeated in 30 Minutes

Well, that didn't take long.

Social image-sharing app SnapChat's new account-verification system, instituted Tuesday (Jan. 21), has already been defeated — the latest in a string of Snapchat security failures.

Snapchat's brand-new verification system requires users to verify that they're not bots, or computer scripts, by looking through a series of nine pictures and choosing only those pictures that feature images of a ghost. (A smiling ghost is part of Snapchat's logo.)

In 30 minutes yesterday (Jan. 22), Georgia Tech grad student Steven Hickson wrote a new bot, just 100 lines of code long, which has so far had a perfect success rate in picking out Snapchat's ghosts.

MORE: 12 More Things You Didn't Know Could Be Hacked

Why was Snapchat's system so easy to defeat? One reason might be that the ghost images in each picture were all the same color and shape.

"The Snapchat ghost is very particular," Hickson wrote on his blog.You could even call it a template. For those of you familiar with template matching … it is one of the easier tasks in computer vision. This is an incredibly bad way to verify someone is a person, because it is such an easy problem for a computer to solve."

SnapChat implemented the ghost-based verification system as the latest stopgap measure following a series of security lapses, the worst of which was the online dumping of the usernames and phone numbers of 4.6 million users on Dec. 31.

Exploiting a recently uncovered Snapchat security flaw, gray-hat hackers had used Snapchat's own "Find Friends" feature to get Snapchat's servers to rapidly cough up the user information.

Instead of fixing the flaw, Snapchat simply put a rate limit on Find Friends, allowing each Snapchat account only one lookup per hour.

Following that, a Dallas teenager named Graham Smith informed Snapchat that the rate limit could be defeated by bots using fake phone numbers to rapidly create new accounts.

In response, Snapchat rolled out the ghost-hunting human-verification game, which Hickson has now shown to be useless.

Follow Kevin Ohannessian at @khohannessian and on Google+. Follow us @tomsguide, on Facebook and on Google+.