How I Hacked Snapchat's Dumb Anti-Robot Security In Less Than 30 MinutesS

I woke up this morning and saw an article detailing Snapchat's new verification system designed to help cut back the snap spam that seems to be slowly infiltrating the service.

You may not have seen it but if not I will summarize it for you. They basically have you choose from amongst a bunch of images, identifying the ones that have the Snapchat ghost to prove you are a person. It is kind of like a less annoying CAPTCHA.

How I Hacked Snapchat's Dumb Anti-Robot Security In Less Than 30 Minutes


The problem with this is that the Snapchat ghost is very particular. You could even call it a template. For those of you familiar with template matching, which is what Snapchat is asking you to do to verify your humanity, it's one of the easier tasks in computer vision.

This is an incredibly bad way to verify someone is a person because it is such an easy problem for a computer to solve.

After I read this, I spent around 30 minutes writing up some code in order to make a computer do this. Now there are many ways of solving this problem, HoG probably would have been best or even color thresholding and PCA for blob recognition but it would take more time, and I'm lazy (read: efficient). I ended up using OpenCV and going with simple thresholding, SURF keypoints and FLANN matching with a uniqueness test to determine that multiple keypoints in the training image weren't being singularly matched in the testing image.

First, I extract the different images from the slide above, then I threshold them and the ghost template to find objects that are that color. Next, I extract feature points and descriptors from the test image and the template using SURF and match them using FLANN. I only use the "best" matches using a distance metric and then check all the matches for uniqueness to verify one feature in the template isn't matching most of the test features. If the uniqueness is high enough and enough features are found, we call it a ghost.

With very little effort, my code was able to "find the ghost" in the above example with 100% accuracy. I'm not saying it is perfect, far from it. I'm just saying that if it takes someone less than an hour to train a computer to break an example of your human verification system, you are doing something wrong. There are a ton of ways to do this using computer vision, all of them quick and effective. It's a numbers game with computers and Snapchat's verification system is losing.


This post originally appeared on the author's blog, and it was republished with permission.

Steven Hickson is an avidtechnical blogger and current graduate student researcher at Georgia Institute of Technology. He graduated magna cum laude with a degree in Computer Engineering from Clemson University before moving on to the Department of Defense. After consulting and working at the DoD, Steven decided to pursue his PhD with a focus in computer vision, robotics, and embedded systems. His open source libraries are used the world over and they have been featured in places such as Linux User and Developer Magazine, raspberrypi.org, Hackaday, and Lifehacker. In his free time, Steven likes to rock climb, program random bits of code, and play Magic: The Gathering.