pureMango.co.uk
there's nothing about mangos or purity. It's just a name..Is your home as secure as your e-mail address? A video security camera system is a great way to protect your home. You can find great deals on a Sony security camera or a Samsung CCTV online.
Totally Anonymous Fake Mailer
check out the things I have found in books!
Breaking CAPTCHAs Without Using OCR
For my own PHP CAPTCHA implementation, click here.
This article details a method I have discovered to bypass CAPTCHA security, without having to use Optical Character Recognition software.
Most CAPTCHAs don't destroy the session when the correct phrase is entered. So by reusing the session id of a known CAPTCHA image, it is possible to automate requests to a CAPTCHA-protected page.
I have tested a number of free and commercial CAPTCHA scripts, and most of them are vulnerable to this method of exploitation. This includes the popular humanVerify solution, and many others.
manual steps:
connect to captcha page
record session ID and captcha plaintext
automated steps:
resend session ID and CAPTCHA plaintext any number of times, changing the user data, eg:
POST /vuln_script.php HTTP/1.0
Cookie: PHPSESSID=329847239847238947;
^^^ this is the session id of the page you looked at manually
Content-Length: 49
Connection: close;
name=bob&email=bob@fish.com&captcha=the_plaintext
^^^ this includes the captcha string for the page you looked at manually
the other user data can change on each request
you can then automate hundreds, if not thousands of requests, until the session expires, at which point you just repeat the manual steps and then reconnect with a new session id and captcha text.
This is -easy- to fix, here's the vulnerable pseudocode:
if form_submitted and captcha_stored!="" and captcha_sent=captcha_stored then
process_form();
endif:
fixed psuedocode:
if form_submitted and captcha_stored!="" and
captcha_sent=captcha_stored then
captcha_stored="";
process_form();
endif:
- it's a one line fix!
Vulnerable CAPTCHA Scripts
tested scripts: (list taken from wikipedia's CAPTCHA page)
scripts were first tested during May 2005, and re-tested in August 2005.
-------------------------------------------------
humanVerify (Multilingual)
vulnerable (this product has 325 registered users)
-------------------------------------------------
drupal Captcha (PHP)
4.4- vulnerable, 4.5+ OK
-------------------------------------------------
del.icio.us/register
was vulnerable, fixed after I alerted them
-------------------------------------------------
tacs 0.1.2 (PHP)
vulnerable
-------------------------------------------------
gotcha (PHP)
vulnerable
UPDATE:
no longer vulnerable
-------------------------------------------------
Lanap BotDetect (ASP/ASP.NET)
vulnerable
UPDATE:
no longer seems vulnerable, not 100% sure.
-------------------------------------------------
code project CAPTCHA (ASP)
vulnerable
-------------------------------------------------
freeCap (my own script) (PHP)
1.3+ not vulnerable
-------------------------------------------------
audit (PHP)
not vulnerable
-------------------------------------------------
Block AutoSubmit (PHP)
not vulnerable
-------------------------------------------------
captchas.net service (python/PHP/PERL)
not vulnerable
-------------------------------------------------
"only as secure as the weakest link in the chain" springs to mind.
I also managed to automate requests to www.captcha.net's demos, but having examined the implementation of their system on google, I think it's only the -demo- that's vulnerable.
I would appreciate info on other vulnerable/not vulnerable scripts, as I only have limited resources.
Taken offline for the moment. Email me if you'd like a demo.
Another vulnerability that most CAPTCHA scripts have is again in their use of sessions; if you're on an insecure shared server, any user on that server may have access to everyone else's session files, so even if your site is totally secure, a vulnerability on any other website hosted on that machine can lead to a compromise of your session data, and hence, your CAPTCHA script. freeCap gets around this by only storing a hash of the CAPTCHA word in the session, thus even if someone can read your session files, they can't find out what the CAPTCHA word is.
If you would like me to test your CAPTCHA scripts (for free), and give advice on how to protect against this type of attack, please email me at
There's also a great wiki about stopping spam with some very interesting info, if you're interested in fighting spam.
User Comments:Who: mike
When: July 7th, 2005
Says: cool thx ;)
Who:
When: November 4th, 2005
Says: THANK YOU... this is great stuff...
I wanna use your script... BUT...
* I can't get the picture to show up
* it seems very complicated - has a lot of code
* needs some documentation, or obvious links to it
I do like your dedication. I have successfully tried "Audit" and will try the other "not vulnerable" ones to decide which to use.
How up to date is your recommendations above? Can you put date-stamps on these recommendations/observations, please?
Thanx for all this hard work. It's great when I don't have to do so much work, and i can rest on the shoulders of giants!!!
:)
-dennis
---
from u24:
At some point I do intend to do some more documentation for freeCap, email me if you have any specific troubles, though.
Who:
When: November 4th, 2005
Says: AUDIT seems to be EXTREMELY simple...
is it really "NOT VULNERABLE" ???
---
from u24:
not vulnerable to -this- attack, patently vulnerable to OCR attacks, though.
Who: bookworm
When: February 23rd, 2006
Says: A very intresting article. I am still learning about CAPTCHA's and how to make or break them. Your article is a great help. I would like to use your method to test my implementation. Hopefully soon :-). Thanks.
Who: ilia
When: March 7th, 2006
Says: are you saying google uses captchas.net webservice? It doesn't look like it to me. I checked Google's new account creation form. The only thing similar is the random-string/signature-based password generation.
ilia.
---
from u24:
no, captcha.net, not captchas.net
The generated image looks very similar (compare the sample-nsf image to a google account captcha).
I'm not sure why I thought google actually used captcha.net, but there's a similarity.
Who: feha
When: March 7th, 2006
Says: I wonder if this capcha is ok (my own development) ?
http://vision.to/1_CMS_ENC/Admin/index.php
---
from u24:
from an OCR-ing perspective, overlap is good, multiple colours is good, background doesn't add too much extra protection, image is too small. rotation is good, multiple fonts is good. Further obfuscation needed, but generally above average.
From my side of things, that is, the implementation, I was able to get ACDC to pass the captcha several times, which means you would be able to brute force the login (eventually)
In your code, where you check whether the captcha has been entered correctly, if they suceed, make the code forget what the correct word is.
If you take a look at the code for freecap_wrap.php (under projects), you'll see how I do this.
If you get stuck, email me the code and I'll take a look at it.
Who:
When: April 4th, 2006
Says: its good but i am unable to get the image code
when i downloaded the sample zip file?
i don't know how to get it.
can any one help me.........
Who:
When: April 5th, 2006
Says: I'm looking at using something in a site I"m developing, thanks for the info and implementation.
Would it be easier to simply destroy and re-open a session?
session_start();
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
Then send them back to a page to restart the session properly to help with any problems setting cookies. I dont know if you could possibly start another session if you havent outputed anything to the browser, or are using buffering.
Who: Daniel
When: April 14th, 2006
Says: What about this one?
http://www.tipstricks.org/
Is it Ok?
If not - what to change?
Thx in advance!
---
from u24:
the distortion is fairly good, you could use multiple colours, and multiple fonts, but other than that, yeah, not a bad script :-)
Who:
When: May 2nd, 2006
Says: I think, we made a complete new kind of captcha. It is not a very "high secure captcha", since you have a chance of 1:5 to solve it.
What do you think about it? Is it hard to break or not?
Here you can see a working example:
http://firstshare.de/?23d3t1ngi5l9vtw508il
(You'll get a beer if you're through!;)
Anomar
---
from u24:
yeah, nice one, but I think it would be possible to parse the flash file for URLs and try all possibilities, no?
thanks for the beer ;-P
Who:
When: May 8th, 2006
Says: You can parse all URLs. But if you use a wrong URL, the valid URL will be destroyed and you'll need a new try (which means one hour of waiting!).
In this case your chance is 1:5 to get the right URL - not too bad, but I can imagine of some changes to make more possibilities in the captcha.
Anomar
---
from u24:
ahh, clever. but spammers could connect from multiple IP addresses though. But it would definately slow them down. nice one. do you have source code available?
Who:
When: May 9th, 2006
Says: CAPTCHA=completely automated public Turing test to tell _computers and humans apart_. At the point where a human is required, it is guaranteed to fail, because it was a human and not a computer.
The automation does not really "break" a CAPTCHA system as it just informs the server that a human already verified him/herself as such.
In other words, while this may be handy for spammers to know or for the people who write CAPTCHA code to realize, it doesn't really talk about what it claims to.
Basically, a CAPTCHA is just designed to prevent automated attacks. Once spammers are required to manually fill out forms, your CAPTCHA has already succeeded. Unfortunately, as OCR software gets better, these psuedo-Turing tests will make real people jump through more hoops (ever see an image verification thing that was unreadable?).
---
from u24:
I don't think captchas are about trying to make a philosophical distinction between users and computers, I think they're trying to stop spam. the technique above allows people to spam even if there's a (vulnerable) captcha in place, hence the captcha fails.
On your logic, if someone wrote an OCR program that defeated captchas, you could respond "ah, but you see, a human was involved because someone had to write that OCR program, so the CAPTCHA isn't really broken".To which I would say "yes, it is".
Who: u24
When: May 9th, 2006
Says: and just to clarify; with the attack in the article, a spammer has to fill one form out, and then the script can spam many thousand times
Who:
When: June 4th, 2006
Says: I would be curious about what folks think of this text-based captcha
http://www.indexuhelp.com/captcha/captcha-test.php
---
from u24:
it's a good idea, but I couldn't get it to display in Firefox.
If you manage to get it rendering OK it the common browsers, it's an interesting approach. Having said that, an OCR program could still just take a screenshot of your page and OCR that...
Who:
When: June 9th, 2006
Says: fixed the Firefox problem. apparently, Firefox does not like the IDs to begin with a number. IE just doesn't care.
I searched google but all I could find was how OCR "cracks" an single image. No details on how it knows which image has the captcha code or how it would find the captcha code if it created an image of the whole page.
any help?
I would at least like to pursue it until I find out just how secure or insecure this method is.
how could I go about doing that?
thanks
.
Who: ricks99
When: July 25th, 2006
Says: Do you have an anlysis of ProtectWebForm's Capthca service (http://www.protectwebform.com)?
---
from u24:
don't have time right now - will look at it in October
Who: quiz buster
When: August 15th, 2006
Says: jcaptcha - clears session.
The best way i came up with for this one was for a tv competition free entry page. (normally was a premium phone call to enter, but they offered this page which was clumbersome to use). They cleared the sessions, so the approach detailed above didn't work. (this is automatically available in browsers like Opera which retain form field contents when you hit BACK, allowing you to just kick submit again!) They also seemed to drop entries that were submitted too quickly, and then they added a hidden field with a time based code in it to drop re-used forms. It was a pain making multiple submissions with it ..
After a few weeks, I ended up wroting an app that fetched the page, parsed out all the fields, presented the captcha to me to manually re-type (insert ocr here) then queued the result so it wasn't submitted back for about 15 seconds, +/- random amount. In the meantime, it was off getting the next page.
It worked, I was getting entries in at not quite 45 a minute at the end, depending on how fast i typed, got through to the quiz multiple times, and ended up winning a nice bit of money. (BUT because you have to give name for where to send the prizes, they end up knowing who you are, so was asked to stop entering under their "for any reason" T&C.. )
Just thought you'd like to hear about a different approach. It didn't take the human out of the equation but did help automate the process.
Who:
When: August 16th, 2006
Says: I agree with Oleg.
I developed my own captcha and of course it's code is not available client side but stored server side only.
To keep track of the unique user you could do 4 things:
- check (session) cookie
- check IP address
- append a second code (probably the session id) to the website address and check the referrer
- put a second code in the form and check this
Since some have disabled all cookies (including the RAM or so called session cookies) and since ISP's like AOL use dynamic IP addresses one should make a combination of the session cookie and the IP address or use method 3 or 4.
Cheers,
Jeroen Haan
Website developer
www.haan.net
Who:
When: August 18th, 2006
Says: this is the most idiot captcha implementation!
http://www.mypals.com.my/signup.php
Who: Lohita
When: August 31st, 2006
Says: thnx 4 ur information
Who: hyper
When: September 29th, 2006
Says: I don`t understand, why captcha makers are trying so to distort image, make so many variations, that image become unreadable even for human, do there are real occasions when captchas of some serious sites were broken by spamers, bots or smth like? If the main goal is to prevent spamers, search bots etc, there are many other ways how to prevent that (IP&time logging, connection limiting etc) and not using methods, which makes difficulties for those, who have no bad intensions against certain site.
Imho this captcha making boom looks more like a competion - who will make a captcha which won`t be readable by anyone.
---
from u24:
there is a balance to be made certainly, but the other options for stopping spammers just aren\\\'t viable - a guy who was spamming me was coming in from hundreds of different IP addresses. I try to address the problem of human readability in freecap by allowing the webmaster to change various options regarding the output. I like to think it\\\'s a decent script.
Who: 1234
When: October 14th, 2006
Says: Some stupid captchas have an MD5 hash inside their URL. Those are just so easy to break.
Who: u24
When: October 31st, 2006
Says: 1234: that really is simple.
Who:
When: November 5th, 2006
Says: Captcha is not necessary, it is a add on. Good validation however is necessary.
You can indeed check the post request array of variables and keep abusers out. But check this server side since the post request could be a direct request skipping the form.
Check if only one @ is present in the value holding the email address field.
Check if there are @ present in values other then the one intended for the email address.
Check if there are special characters like tabs or returns present in the array.
Check the length of certain values like the name and email key.
What wiki, forum or alike concerns, you could use a register and login script
All these measures are also good to validate the user input and give back the same values with a kindly suggestion for improvement. What forum concerns, it is also good to prevent impulse reactions or kids trying the submit button.
With all these measures it is difficult for bad intended to do any real harm.
Important notes:
The RFC (protocol) of email needs a return ( \r\n or CR LF ) between email addresses.
Knowing this the abuse is easily prevented. So make sure the email headers are clean since the TO, SUBJECT and BODY parameters can�t be abused. It is the HEADER parameter that can be abused. You could even make the Header parameter a static one or even skip it since it is not needed (check if this is true in your situation).
Important to realise that login is the best method to prevent abuse of contributions like wiki, forum or alike.
Also important is to log the IP address, one day you might need to sent out a legal complaint.
In the USA a Captcha is a risk to get a lawsuit because you hinder the disabled. This is serious matter!
I have developed a creative and good readable captcha and a very good filter.
Both can come integrated and are commercial software.
I can only say it does its work because I don't see any attacks or �beta testers� anymore on the tens of websites I host.
I do get some warnings that people do try direct post requests.
I filter these with checking if �referrer is host�. If not, an email with IP goes out.
Other get nice warnings themselves and retry genuine or better decide to try abuse elsewhere.
So far for these free tips.
Happy programming!
Kind Regards,
Jeroen Haan
www.haan.net
---
from u24:
yeah, I would advice trying everything you can to stop spam before implementing a CAPTCHA system, sometimes though it is the only way.
Who:
When: December 11th, 2006
Says: Is the CAPTCHA used by TicketMaster vulnerable?
---
from u24:
you have no idea how many people ask this.
no.
Who:
When: December 22nd, 2006
Says: I'm not surprised at all. Most of them are probably ticket scalpers. Some of them must have found another way to crack that CAPTCHA, because even after TicketMaster added it the good tickets are still showing up on scalper websites.
Who:
When: December 28th, 2006
Says: How IRONIC. You need to use CAPTCHA test before posting. Haha.
Who: Searcher
When: February 9th, 2007
Says: How about a flash captcha, is it secure enough?
Have a look at this visual captcha: http://www.dracon.biz/captcha.php
---
from u24:
it doesn't matter what the technology is - the principles remain the same, whether it's done in flash, vrml, whatever, the spammer is either going to use a printscreen type of thing to get the image, or use an open source reader for that format.
but for that flash one, it's a good idea (I was trying to do something very similar as an animated gif for freecap, but the processing took too long)
but can't the attacker just take the image as shown after 2 seconds? In other words, the full word is always shown at the same point in the movie, and from there it's quite simple to decode the characters, as you're not really warping them at all...
also, one of the major problems with CAPTCHA is the accessibility, and by using flash, you're narrowing the number of people who can use the form even more.
Who: Captcha_Security
When: February 28th, 2007
Says: First, thanks for this page/topic. My biggest concern is CAPTCHA's security so I was googling around to conclude what are the important factors... I have recently been reading about JCAPTCHA, which uses Java along with CAPTCHA (http://jcaptcha.sourceforge.net/) but there are not much information about the security of JCAPTCHA on google or even on their site. Do you know how secure these are? Does using Java add more protection to it?
Also, does the background matters? in other words, if one uses a white background vs a colored or a background with lines, does it matter that much as far as CAPTCHA's security?
The latest point is that one assumes that by downloading the latest version, he got a "secure" or "up-to-date" CAPTCHA, but I dont think thats the case. So, how can one really checks if the CPATCHA(s) he is using are safe from spam, etc?
I would appreciate any feedback :)
---
from u24:
As far as OCR goes, the programming language used shouldn't affect how secure the captcha is, is doesn't matter if it's written in java, vrml, php or whatever. A script can always take a screenshot an OCR that. The only exception I can think of is when animation is involved, eg via flash or animated gifs, then it would be a case of splitting the captcha into several frames and then somehow determining which one contains the full captcha. Any implementation of that would have to be very carefully thought about, for example a script that flashed up 5 words and told you to enter the one in red would add no extra security; the script can easily tell which one is red. Likewise, with a script animated characters into the right order and then hovered before dispersing, you might be able to say "OCR the fifteenth frame" or "OCR the image that appears after 2 seconds". So there needs to be sufficient randomisation. I'm tempted to say that those sort of tricks tend to offer only security through obscurity, but that's not to say that a flaptcha (flash captcha (tm)) might not offer something that's uniquely useful and could only be acheived through flash.
As far as the implementation goes, again, I can't see why the programming language would affect that.
The background can serve to confuse OCR scripts; if the OCR can't tell whether a squiggle is a letter or just part of the background, that's going to make it much harder to reliably OCR the image. Having said that, it's very important to make sure that the background offers enough protection. In freecap v1.3, I put in a background that looked great, but offered no extra protection; you just needed to lighten the image and the background disappeared but the text remained (whoops!).
With JCAPTCHA, all the background models except DeformedBaffle suffer the same sort of problem; just replace everything that's not white with black and you've effectively removed the background. The background needs to be indistinguishable from the text, which presents a big problem; how could a human tell them apart? The key is striking the right balance.
I can't find an online demo, so I can't tell whether JCAPTCHA suffers from the session reuse problem I outline above. I don't know JAVA either, but looking at the source code it seems like they are vulnerable, as you only need to enter the captcha once; this would allow an attacker to enter the captcha once per website to spam instead of once per message to spam. Thus thousands of messages could be sent to a website with just one CAPTCHA being manually entered. But I'd have to see a live example to know for sure.
However, all the above points are in actual fact merely technicalities - the reality is that even if have the worlds worst captcha in place, it's going to stop spam. The question is: will it stop spam in 5 years time, once the spammers have updated their technological arsenal?
Who: Captcha_Security
When: March 1st, 2007
Says: Thanks for your quick reply and comments. I could not quickly find a demo for jcaptcha either. I will try and give freecap a try, I just might need to convince management for this move :P
As far as stopping spam, personally, I think it relates to how far the law is going to go for that direction. The harsher the laws against spam are, the fewer spam we will have over the years Also, as far as capthas, at some point of advanced captcha development, it would take spamers a while to really figure out a way of distinguishing humans from computers
---
from u24:
*sigh*, yeah ideally the law would help but what with the international issue there's no way to enforce it globally - at best it'll force spammers to operate out of countries with dubious or non-existent e-laws....
I think a technological improvement is the way forward, but CAPTCHA probably isn't the ideal solution in the long term.
Within the next year or so, I plan to do something fairly major with freecap, but any proper solution is probably going to have to involve some sort of community collaboration.
Who: Captcha_Security
When: March 1st, 2007
Says: ok, I found a demo, but its on a private website which I cannot post here. How do I find out if the jcaptcha used is vulnerable or strong enough? I have the source code for the web page that the captcha is used on...
---
from u24:
you can use the ACDC script that's linked above, but it's not exactly user friendly. You'll need to enter both the page where the captcha appears (ie the URL of the protected form) and the URL of the captcha image itself (ie right click on the captcha and copy the URL shown in the properties dialog), then you'll need manually to find out what the form field for the captcha variable is by viewing the source of the original captcha form page (helps to have ACDC opened in a separate tab), then you'll need to fill in the form data in the 'additional post data' box.
then, you can submit and inspect the three output boxes to see if it worked. simple, eh? :D
Yeah, one day I'll make it more intuitive, but it's really just a proof-of-concept. If you email me the URL I can test it for you.
Who: mhe
When: March 6th, 2007
Says: what about using www.captchasolver.com to solve hard captchas?
---
from u24:
ouch. what a great/evil idea.
All it takes is one lawsuit though. I'm sure it's illegal.
Who: dante hicks
When: March 16th, 2007
Says: ... i wrote 'tacs', i just happened to stumble upon this page ...
and whereas tacs isn't something i would recommend for use anywhere to anyone [it was more of a POC idea, and oss code to accompany], typically, an 'exploit' finder alerts the author of said bug before making a public page about it ... unless, or course you have a 'competing' product to peddle, which is an obvious conflict of interest ...
regardless, in between finding this page and 1.2 i wrote 1.3 which uses a different approach and eliminates the need for sessions ... i'd be curious to hear your 'report' on the new demo. even though, again, it's just a POC.
regards.
---
from u24:
yes, sorry I didn't alert you. I always planned to but never got round to it. I also planned to do a more thorough audit of captcha scripts, but again never got round to it. And yes, there probably is a conflict of
interest in that I'm pushing my own script.
The list of vulnerable scripts was really only intended as an example of how common the problem is/was, rather than a bug report on other captchas.
Pretty much every captcha was vulnerable, and those that weren't were only invulnerable by accident. But yes, you're right, I was out of order in not alerting everyone.
I've now sent emails to all the remaining vulnerable scripts who's contact details I can find.
I've sent you email about the latest version of tacs.
-h.
Who:
When: April 16th, 2007
Says: What about TruBar?
http://forum.truden.com/
---
from u24:
tested it this morning and I can confirm it's not vulnerable to session re-use - well done.
You do need to test it on multiple monitors though - my laptop screen is very bright and I can hardly make out the letters. Also, the vertical lines in the background look like l's or ones or I's; might want to change that.
Using the same background each time makes it easy for an attacker to ignore the background; they can just XOR the image against the 'raw' (unwritten on) background to attain the un-obfuscated letters. At least put some random obfuscation in there. :-)
Who:
When: April 26th, 2007
Says: Hi, I don´t know much about ASP, I´m just trying to enter a website to get an appointment to renew my passport. I know, it sucks, but I just wanted to ask how do I get the ID number for a captcha session. Any further help would be greatly thanked. If you want no take a look at the site here is the address.
http://www.onidex.com.ve/portal/solic_mayor_ced.aspx
Thanks!
---
from u24:
it will be in the http response header as a cookie; see the http headers page linked on the left.
Who: Searcher
When: May 15th, 2007
Says: Re: Flash CAPTCHA from http://www.dracon.biz/captcha.php
Well, if the code transaction between flash and php is encrypted, packet sniffing wont help much...
Yes, indeed you can make printscreens until you get all you need to run an OCR attack, but don't forget this is flash, you can do ANY effect and you don't have to have all the letters on the screen at the same time or same place, it just requires a bit of creativity. I made it clean and simple to make it easily readable, but if there was a war between bots and captcha..
Who: rs99
When: May 29th, 2007
Says: How about CAPTCHA with a purpose (see http://recaptcha.net/learnmore.html). Any comments about the quality of this CAPTCHA?
---
from u24:
yeah, I saw that site. mm. good idea. It's based on the gimpy models, so I'd have to concede that these people really do know what they're doing.
Who:
When: June 1st, 2007
Says: Hi,
I need to read captcha of any type from html page and store back in database in character form. How to proceed on that.
Pls update me.
Thanks
Santosh
---
from u24:
what you're asking is almost impossible.
Who:
When: August 14th, 2007
Says: Hello! First, I'd like to thank you for all of your work with CAPTCHA. I really think your efforts are making a difference with this important problem, and I hope we're making progress collectively. Along those lines, wanted to ask for some of your feedback on an experimental CAPTCHA that I've created. I've named it the "Warhol Proof" since the images it uses kind of remind[ed] me of Andy Warhol's postmodernistic style.
Here's the URL:
http://warproof.com
I'd love to hear any feedback you may have, and if somehow my efforts (source code) can help yours, I'd be happy to collaborate.
Thanks, and talk to you soon! :)
-Rich
Who:
When: August 29th, 2007
Says: Cool, though I don't really get why you don't release the code but explain it perfectly. Reimplementing the same thing would take about 5 minutes, so, all you've got there is lamer protection :)
---
from u24:
spammers==lamers
Who:
When: November 28th, 2007
Says: i want to eneter a multiplayergame that is only in europe but am not in europe so can u help me play it?
Who:
When: February 1st, 2008
Says: In regards to the freeCap project:
It is one of the more promising I have seen; however, the CAPTCHA used in comments would be fairly easy to break.
All thats needed is a line detection algorithm to detect darker colors (avoiding the background noise). Though there is deformation, a medium sized binary comparison library could easily conquer it with a 20-40% success rate.
The extra backgrounds make OCR a lot harder, but also kill the human readability factor. My suggestion would be to enlarge the letters and deform them a little less, but to use wavy, darker lines to prevent any segmentation.
As for the Warproof site...
From what I saw, there were just 15 or so different pictures, nothing really server generated. It would take me all of 5 minutes make some "OCR" for that.
Its an awesome idea if you could figure out how to generate that with a server, but its a terribly vulnerable implementation.
Bruce
---
from u24:
thankyou for your insights. Very interesting. If I ever do another version (there was one in the works a while ago) I would write an algo that just added an extra limb onto each letter, to avoid line termination/intersection detection. TBH, I think CAPTCHAs are an ugly solution - providers like gmail stop spam very effectively without captcha, so I'm sure the same principles can be applied to comment areas.
Who: sec-tech
When: July 10th, 2008
Says: I'm looking for a script/app/whatever (must be Windows compatible; I'll explain why later in this comment) that I can use to defeat CAPTCHA. I'm not a spammer (believe that or not, as you like). I just have certain tasks that, done via the web, I prefer to automate because it saves time and effort (just overall making life easier). In this case, I have a friend who has a webpage on a website that she doesn't host and she wants me to "pump up" the number of "friends" that she has. That would be incredibly tedious, time-consuming work if done manually. But I already have what I refer to as a "private 'bot" that, with a little re-writing of the code, can take care of this for her...except for one thing; the registration page includes a CAPTCHAthat I must circumvent in order for my 'bot to work (why do I call it a private 'bot? because it only runs on my PC and only for a legitimate single purpose - it is not used for spamming or hacking or sending viruses, etc. nor is it attached to emails as a trojan or a virus or spyware or malware - I use it only on my PC and it never gets used for doing anything malicious - it is simply a task automation application that I developed for my own use....using the Winbatch programming language, which is why I need something Windows compatible to defeat CAPTCHA).
My app was originally written for (for all practical purposes) to "rig" the WWE's 2006 Diva Search Contest (but without breaking any laws or violating the contest rules - the rules being "10 votes per week per email address"; since I had an unlimited supply of email addresses available to me, I was able to vote as many times as I wanted - had they said "10 votes per week per person" I wouldn't have been able to do it, as I'm only one person and I would have been violating the rules of the contest). My app used an algorithm to generate random email addresses, as well as random first and last names, gender (in association with the name generated), birthdates, cities, states, and zipcodes (with cities associated with states and zipcodes associated with cities); all info matching correctly. I was able to feed contestant Layla El from 5000 to 15000 additional votes per day. Since it's unlikely that there was much of a "spread" in the vote totals from one contestant to another, it is likely that the additional votes generated by my automated voting script was the reason that Layla El not only did not get eliminated from the finals but it is likely it is also the reason that she won the competition. Though, admittedly, without seeing the weekly vote totals, it is impossible to know if my "private 'bot" really caused her to win.
I'm sure some would say that what I did was cheating but I don't think so. Did I manipulate the outcome of the Diva Search Contest? Yes. Did it have an impact? Quite possibly (no way to know without reviewing the vote totals). Was it cheating? No. I adhered to the strictest interpretation of the rules; "10 votes per week per email address." And I didn't break into anyone's computer system nor did I use the PUBLIC WWE website in a manner other than the way intended (it was intended for use for people to vote for a contestant and that is how I used it; nowhere did it say that automated voting was not allowed). So no laws were broken.
But I like to think that the Winner of the WWE's Diva Search Contest was, for all practical purposes, chosen by me (and all those other people that also voted for her...but with my votes being the deciding factor). Besides, ever seen the WWE's Monday Night Raw? The WWE is hardly in a position to claim the moral high ground, with the fraud and deception that they engage in, all in the name of "entertainment." And I got absolutely nothing out of it. I did it to force a little racial diversity on the WWE. I was sick and tired of seeing a bunch of "blue-eyed, blond, caucasian's" as WWE Diva's. That's why I chose Layla El to help. Had an Asian or Hispanic woman made it into the top 10, I might have helped her instead. But, by the time I got involved, 3 or 4 of the top 10 had already been eliminated and the only "minority" Diva contestant was Layla El. So, I gave her my votes.
Now, I simply want to hep a friend have more "friends" show up on her web page. But I need some help defeating CAPTCHA first. Is there anyone out there that can assist?
Add your comments:* denotes a required field.
Your email address will be converted to an image to prevent spambots picking it up.
