Snapchat’s New Security Feature ‘Snap-tcha’ Hacked In Minutes


Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409

The famous Android and IoS app Snapchat started to gain a lot of attention last year when CEO and Co-founder Evan Spiegel rejected the purchase offers from some of the big giants like Google ($4 billion) and Facebook ($3 billion). Snapchat made news again yesterday and it is not all good news again this time. After repeatedly being vulnerable to multiple security hacks that compromised the user accounts and privacy,  Snapchat released a new security feature this month in an attempt to close these vulnerability gaps. This new security feature called ‘Snap-tcha‘ was developed to check for the app’s signature and verify that it is a human and not a bot trying to steal user information.

Steven Hickson, a grad student posted within few hours of the post on CNET,  he was able to break Snapchat’s newly released security feature by accurately identifying the ghost template within an hour.

Snaptcha Ghost Matching

Snap-tcha Ghost Matching

As per Steven’s blog  these are the steps he took to break Snaptcha. “First, I extract the different images from the slide above, then I threshold them and the ghost template to find objects that are that color. Next, I extract feature points and descriptors from the test image and the template using SURF and match them using FLANN. I only use the “best” matches using a distance metric and then check all the matches for uniqueness to verify one feature in the template isn’t matching most of the test features. If the uniqueness is high enough and enough features are found, we call it a ghost. With very little effort, my code was able to “find the ghost” in the above example with 100% accuracy”

Earlier news about Snapchat’s easily ‘hack’able security features

Snapchat 4.6 million accounts Exposed – Gift to Snap Chat from SnapchatDB.info for 2014

Snapshot Exploit disposure ignored, may let hackers allow phone numbers and name

Share Button
Tagged with 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>