How to defeat CAPTCHA systems
A captcha (an acronym for "completely automated public Turing test to tell computers and humans apart") is a type of challenge-response test used in computing to determine whether or not the user is human.If you are planning on implementing a CAPTCHA system (wikipedia.org)
If you plan on using a CAPTCHA system, you must be aware of the numerous ways to defeat such a system. Apparently one of the guys that are constantly defeating CAPTCHA is Sam Hocevar . His PWNtcha website presents a huge collection of CAPTCHA systems which have been or are in the process of being defeated.
Sam designed a tool (closed source for good reasons) which is able to analyze and decode even the trickiest images.
PWNtcha is simply a toolkit of image manipulation functions, and a list of known CAPTCHAs with the associated list of image operations to apply in order to decode each of them. If I have never seen your CAPTCHA, then PWNtcha does not know about it, and there is absolutely no way it could decode it.
Update May 29:
A vulnerability has been reported in the CAPTCHA plugin for Geeklog, which can be exploited by malicious people to disclose sensitive information or to compromise a vulnerable system. Secunia has the details.
Are you aware of any CAPTCHA system which is not listed on this site ?
Thank you for reading this post. You can now Read Comments (3) or Leave A Trackback.
Print This Post
Post Info
This entry was posted on Wednesday, April 25th, 2007 . Tagged with:You can follow any responses to this entry through the Comments Feed. You can Leave A Comment, or A Trackback.
Previous Post: Web Application Security Risk Report »
Next Post: Content Filtering Consolidation: Websense acquires SurfControl »
- How to Protect Your Business Network from Phishing Attacks
- Animated Presentation on Sony PSN Hack
- ArcSight Tip #1 – arcsight managersetup notification test
- I’m a CISSP
- Operation:Payback or Social Vendetta is Here
- I got owned by Malware Destructor 2011 Virus
- New Downtime Cost Calculator by Storagepipe.com. What if ?
- Securing Your Network from Web Threats
- My Twitter Notes on 2010-07-25
- New NetWitness Visualize : Welcome To The Future!
April 27th, 2009 11:13
I’ve never heard about such a long decryption of this word, so thank’s very much for the briefing. Any support in the battle against spam-bots can be useful and quite valuabe.
August 20th, 2009 07:40
if you de-couple your CAPTCHA image generating code from the image displayed on the device (via encryption) you will have a very high degree of safety against this specific system designed to defeat CAPTCHA.
March 2nd, 2011 09:15
J-Captcha isn't listed on that site. Wondering how good it is…