Jump to content
Science Forums

Cracking CAPTCHA

Tormod

By Tormod
in Computer Science and Technology

 Share

Recommended Posts

moo Newbie

moo

Posted
Posted

ROFL well apparently the following approach isn't a new idea, but it's the first time I'd heard of it.. ;)

 

http://www.sitepoint.com/blogs/2005/07/18/the-end-of-captcha/

Excerpt: "All CAPTCHAs are eventually doomed because they can all be defeated using the brilliant “free porn” attack. Here’s how it works: Spammers set up a system that scrapes CAPTCHAs from the target site (the Hotmail account creation page for example) and serve them up somewhere else on a “free porn” website. Porn surfers are told to solve the CAPTCHA in order to get their fix. Their solution is passed back to the original site.

 

This isn’t just a theory—it’s an attack that’s being used in the wild. As far as I can see, it renders any and every CAPTCHA system irrelevant. How do you tell the difference between a human who wants to sign up for an account with you and a human who wants free porn from somewhere else?"

 

moo

  • Replies 49
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Tormod Newbie

Tormod

Posted
  • Author
Posted

This does not make sense, as every CAPTCHA image is rendered in a random fashion and therefore I doubt it can be solved in this way. How would you match CAPTCHA image with the correct registration?

moo Newbie

moo

Posted
Posted

If I understand correctly, the image is sent "realtime" by the bot to the spammer's porn site, where a random online user is required to type in the characters. This input is then sent back to the bot. Bingo, image code solved.

 

moo

Jay-qu Newbie

Jay-qu

Posted
Posted

I have seen CAPTCHA's that have multiple words in them and you must click on the word in the picture that appears twice, would this solve that problem? or can bots tell where a mouse click is made and then replicate it?

C1ay Newbie

C1ay

Posted
Posted
I have seen CAPTCHA's that have multiple words in them and you must click on the word in the picture that appears twice....

I have also seen CAPTCHAs with math problems like 1234+2345 and you had to enter the answer...

Jay-qu Newbie

Jay-qu

Posted
Posted
I have also seen CAPTCHAs with math problems like 1234+2345 and you had to enter the answer...

yeah but I was thinking the type I mentioned may be harder for the situation moo brought up, where the that one is really the same as any other..

Qfwfq Newbie

Qfwfq

Posted
Posted

The free porn idea shows there's just no limit to human imagination!

 

or can bots tell where a mouse click is made and then replicate it?
A click made by who? :hihi: Not on the same PC, surely? I don't see why this would be necessary. The free porn site only needs to be designed to tell the 'bot what answer the porn user gave. The 'bot needs to be designed to figure which options the site has for the query and what post data each would send. You don't send any click via HTTP, only octets.
Qfwfq Newbie

Qfwfq

Posted
Posted

But the browser doesn't send clicks via HTTP (it sends a request and receives a response) and the 'bot is a browser (well, ok, an HTTP user agent) as well as being an automaton.

 

These are the terms we must reason in. Clicks and text entries are simply the way a human user tells the ordinary browser what request to send. A 'bot analyses the HTML of a request but, instead of rendering it and awaiting user gestures, works out what options there are and (somehow) decides which to "do" and perhaps iterates through several or all of them recursively (according to what it's designed for). By "do" I mean that it works out the request to send, which is what the various options really are. However sophisticated, I suspect a 'bot will go automatically through cases of anticipated kinds and might do the rendering in other cases, waiting for its master to decide what to do.

moo Newbie

moo

Posted
Posted
But the browser doesn't send clicks via HTTP (it sends a request and receives a response) and the 'bot is a browser (well, ok, an HTTP user agent) as well as being an automaton.

I didn't mean the browser sends "clicks", I meant another app can run an existing browser (I.E, Firefox etc.) using clicks with the API mouse_event(). Would be a rather cheesy bot though.

 

But I guess you're talking about the user "clicks" from his own browser. Sorry, sleep deprivation often affects what little reasoning I have left... :eek_big:

 

moo

Qfwfq Newbie

Qfwfq

Posted
Posted

Oh, that's what you meant, sorry! Actually the point of discussing it here was more to the purpose of how to design a scheme with less weakness, good defence comes from knowing all possible attacks. This doesn't really depend on the 'bot's exact implementation it's a matter of what it can do.

 

Of course a 'bot can be made using existing browser functionality, but even better you can use an Automation interface (IE has it). I've used it little, I don't know quite how fully in detail the client app can see the content (Surely not less than via Windoze messages. DDE? Ha!). Done this way I wouldn't even really call it cheesy, the very idea of the OSF was quite literally "make it so that it can be used by other software".

Tormod Newbie

Tormod

Posted
  • Author
Posted
If I understand correctly, the image is sent "realtime" by the bot to the spammer's porn site, where a random online user is required to type in the characters. This input is then sent back to the bot. Bingo, image code solved.

 

moo

 

Okay...you'd need someone to actually solve it the instant the user is looking at the page, then.

 

Maybe some sort of simple timeout could prohibit it...or there could be TWO captchas on the same page.

Qfwfq Newbie

Qfwfq

Posted
Posted
Okay...you'd need someone to actually solve it the instant the user is looking at the page, then.

 

Maybe some sort of simple timeout could prohibit it...or there could be TWO captchas on the same page.

If the free porn site has become well-known to clients, I think the time for answers comin' back is gonna be mighty quick, and a clever 'bot could be designed to handle more than one quiz.

 

I think the only answer to this scheme would be to make it just as difficult for an automaton to figure out what part of the content is necessary for posing the quiz properly, like perhaps: "OMG! Which image?" Maybe also a question that's a bit like a treasure hunt through the page content... :teeth:

moo Newbie

moo

Posted
Posted

One problem with a timeout is that some folks may not read (or type) quickly enough, especially if the language isn't their native one. And as Qfwfq mentioned, on a high traffic site someone will almost always be changing pages (I assume that's when the logon info would pop up?).

 

Not sure how successful "confusing" the bots would be, as they probably send a copy to headquarters on failed/refused attempts. Probably a temporary solution at best unless you come up with some random layouts.

 

moo

Sheeplet Newbie

Sheeplet

Posted
Posted

I thought I'd give an insight into my thoughts on this, some things may have been replied to and I missed them, so bear with me. :)

 

Somewhere in the board software is a table/etc. used to check whether the user has entered the correct code for the image

Unlikely. It's already been said that these images are generated "on the fly", i.e. as the web page loads. Strings are typically random (You can get word CAPTCHAS which likely would use a database, but that's a slightly different method to random letters), and it simply wouldn't make sense to crack your own "CAPTCHA".

 

I think the easiest way to understand how something works is to make one yourself. How I/others have done it in the past is to use "sessions", in simplicity - This is how the web server can track you across a site, knowing your login name and such. The sessions are stored on the server, so only the server has control over what they say and what can be read. Therefore, you can store the CAPTCHA information in this session and it'll only be seen by the server, apart from in a distorted form in an image. Hopefully that makes sense.

 

If I understand correctly, the image is sent "realtime" by the bot to the spammer's porn site, where a random online user is required to type in the characters. This input is then sent back to the bot. Bingo, image code solved.

That's one method. Another is similar to MICR/OCR/other ink-reading techniques. That technology has probably been around longer than I have. It simply tries to read what the image says. If it can't crack it, then that's the method they're likely to employ. Save the difficult ones for that, I guess.

 

or can bots tell where a mouse click is made and then replicate it?

A bot can't, but a malicious website might. You can use JavaScript to check the position of a mouse when it is clicked on the page, which can be used for "passkeys" where you click a picture in certain places as your password, rather than enter it in plain text...Anyway, you can track mouse clicks or pretty much anything if you wish to.

 

------------

 

CAPTCHAs are a temporary solution to a permanent problem though, if you ask me. Though there's no real alternative. The cleverest I've seen so far is a method by which some parts of the site are only visible to bots, and those bots will try and fill in those parts. Clever thing is, when the bot tries to send the information to the site, the website will know it's a bot, because there's information sent that only bots would send.

 

Sorry, I tend to go on and on about these things. I'll go lock myself in a room now. :cup:

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
 Share
Go to topic listing
×
×
  • Create New...