Snapchat ghost-CAPTCHA not as secure as it would like

It seems Snapchat’s “fixes” for a number of its security problems just aren’t sticking.

Steven Hickson published a very simple way to defeat Snapchat’s recent “find the ghost game” — a challenge the app uses to help determine whether you’re human or not.

Above: A ghost “blob.”

Image Credit: Steven Hickson

Yesterday, Snapchat confirmed that it had released a new “CAPTCHA”-like game that users need to play in order to set up an account. CAPTCHAs usually take the form of a squiggly word that humans have to type into a box to, well, prove that they’re human. It is used to stop spam bots.

Snapchat’s version makes you look at nine images and then pick which images have a “ghost.” The ghost, however, seems to be Snapchat’s downfall.

June 5th: The AI Audit in NYC

Join us next week in NYC to engage with top executive leaders, delving into strategies for auditing AI models to ensure fairness, optimal performance, and ethical compliance across diverse organizations. Secure your attendance for this exclusive invite-only event.

Hickson explains that he was able to take the ghost’s shape, referenced as a “blob,” and feed that information to a computer. The computer learns the blob and is quickly able to choose it from the images provided.

He says his code has been accurate 100 percent of the time.

Snapchat has had further issues with its patches to the Find Friends application programming interface. This API lets people look up other people using the phone number associated with their account. It was exploited by an unknown hacking group, which stole 4.6 million phone numbers and user names and published them to the Internet in a database called SnapchatDB.

Gibson Security, an Australian research firm, published information about the hole that led to the hack on Christmas Eve after alerting Snapchat to the issue in August. The hackers said they exploited the hole only to bring attention to the speed at which companies respond to bug disclosures.

Snapchat put a limit on how many times a single account could use the Find Friends API so as to also limit the number of people any given account could look up. But a young hacker by the name of Graham Smith pointed out that, well, anyone could keep making accounts.

We’ve reached out to Snapchat and will update upon hearing back.

Daily insights on business use cases with VB Daily

If you want to impress your boss, VB Daily has you covered. We give you the inside scoop on what companies are doing with generative AI, from regulatory shifts to practical deployments, so you can share insights for maximum ROI.

Read our Privacy Policy

Thanks for subscribing. Check out more VB newsletters here.

An error occured.

The insights you need without the noise