Weakness in Captcha - Home of Janitha Karunaratne

Weakness in Captcha

Captcha is a system widely used in web forms to differentiate between humans and bots. I won't go into detail how it works but you can read it on Wikipedia. Many people try to defeat this system by writing very advanced character recognition software but there seems to be a very large hole in this system at the moment.

This vulnerability isn't on all of them, but about half the systems I tried, it works (Yahoo and Google to give two examples). It seems internally, when a new captcha image is generated, the corresponding plaintext is stored in a database. The problem is that this database just stores the plaintext without any connection to the client's identity (For example IP). So how can this bad?

Well you can refresh the captcha images in this system repeatedly and write down the plaintext values from the image. Now you can store those value's in a bot and have the bot enter those plaintext value's in.

Here are the steps for a proof-of-concept.

Go to Computer A, get a captcha image. Write down plaintext
Go to Computer B, go to same page, enter previous plaintext from different session

Comments | Posted January 29, 2008

blog comments powered by Disqus

Navigate

Connect

Archives

The Passive Splice Network Tap, Photography and Good Glass, Rewrite and Makeover, Easy life with SSH Configs, Twitter and URL Shortening Services, Listen to your Feeds, Telephone Number Geocoder, A New Captcha, Don't Steal My Laptop, Facebook Face Extractor, Hurricane Ike, Random and Fascinating stuff, CG Too Real, Farewell Cisco, Gallery2 and Facebook App, Reconstruction 3, Fadeaway Ink, Rewrite, Charging Batteries, Centralized Comments, Picture Organizing, Client Side Blog, The Work Stack, Tech Religion Wars, Port Multiplexer, Standup/Lock, Cleanup Time, Call for a Next Meta tag, Weakness in Captcha, WRT350N External Serial, Trackpoint on T61p, Idea Recycle Bin, ThinkPads are Great, Calendar Syncronization Winner, Solution to Torrent Shutdown, UPS Social Engineering, D975XBX2 SATA Controller and Linux, Sort the Unsortable: Pictures, Multi-Factor Authentication on the Cheap, ThinkPad Beep, Know who you are Scamming, Free Premium Channels, Cisco Internship, Command Line SMS Fun, Tea Coffee Mix, Improve on Microwave Ovens, Sri Lanka SIP, In house Stadium Seating, Automatic Microwave & Call Hell, Picture Sort, RIP A7M266-D, Pale Blue Dot, Broken Spam, Concept: LCD Intercom System, The Fan, Shell Command Injection, Accidents, LED Projector, Comment Spam, Portable SSH/VNC, Pointer Happy, GDB, Slow times, More Emacs, Fuel Dump, C and Java Compile and Exec script, Exploiting the Kernel init argument, Uni, Jetlag and Caffeine, Sri Lanka 2006, Raw IRC, Syskey for Windows, Bad Web Design, Bad, Good Bye vim..., Shortcut to TAMU Intranet, Animated Backgrounds, Public Key Encryption in a nutshell, The Browser Switch, Exploiting trust and email together, Universities Emptying the students, Google IM and Jabber, Low tech voice in space, 49.5 Hours, All good things must come to an end, C++ vs. PHP, CGI C++ Helper, Automatic Scheduler Progress , Ascii Art, Xine, and SSH, Sound of Data, Grand Theft Auto : San Andreas, Un-progress, Fun with Cold, RFID in Clothing, Efficiently Cracking Keypads, Rubber Corners, Dryice Cannon v1.2, My 2am 0.066 Joule coil gun, I look at macs differently now, End of Quest for Perfect Window Manager, Automatic Class Scheduler, Mother nature likes fast drivers, Quakecon 2005, Quest for the perfect window manager, Hitachi gone mad, A Basket Case, Its Alive,

What is this?

This is my personal home page. It's a crude but direct brain dump of my thoughts, ramblings, on going projects, opinions, and ideas. If you want to kill some more time, below are some external sites I frequent, enjoy!

About Me

I'm Janitha, a Computer Engineer and Technology Enthusiast living in Houston, Texas. My interests include Technology, Sciences, Photography, Startups, and everything new and innovative. Currently I am the Tech Lead and Founder at Picsna.

On the flip side, I am a avid music and movie collector, and I enjoy abstract and modern art as a source of inspiration. Driving, playing Tennis, Sleeping, Cooking, Traveling and eating copious amounts of Tangelos and Pistachios are some of my other favorite past times.