Skip to main content [aditude-amp id="stickyleaderboard" targeting='{"env":"staging","page_type":"article","post_id":886847,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"A"}']

Snapchat ghost-CAPTCHA not as secure as it would like

Image Credit: OtnaTdur/Shutterstock

It seems Snapchat’s “fixes” for a number of its security problems just aren’t sticking.

Steven Hickson published a very simple way to defeat Snapchat’s recent “find the ghost game” — a challenge the app uses to help determine whether you’re human or not.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":886847,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"A"}']

Above: A ghost “blob.”

Image Credit: Steven Hickson

Yesterday, Snapchat confirmed that it had released a new “CAPTCHA”-like game that users need to play in order to set up an account. CAPTCHAs usually take the form of a squiggly word that humans have to type into a box to, well, prove that they’re human. It is used to stop spam bots.

Snapchat’s version makes you look at nine images and then pick which images have a “ghost.” The ghost, however, seems to be Snapchat’s downfall.

AI Weekly

The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.

Included with VentureBeat Insider and VentureBeat VIP memberships.

Hickson explains that he was able to take the ghost’s shape, referenced as a “blob,” and feed that information to a computer. The computer learns the blob and is quickly able to choose it from the images provided.

He says his code has been accurate 100 percent of the time.

Snapchat has had further issues with its patches to the Find Friends application programming interface. This API lets people look up other people using the phone number associated with their account. It was exploited by an unknown hacking group, which stole 4.6 million phone numbers and user names and published them to the Internet in a database called SnapchatDB.

Gibson Security, an Australian research firm, published information about the hole that led to the hack on Christmas Eve after alerting Snapchat to the issue in August. The hackers said they exploited the hole only to bring attention to the speed at which companies respond to bug disclosures.

Snapchat put a limit on how many times a single account could use the Find Friends API so as to also limit the number of people any given account could look up. But a young hacker by the name of Graham Smith pointed out that, well, anyone could keep making accounts.

We’ve reached out to Snapchat and will update upon hearing back.

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":886847,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"A"}']

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More