MoBiC-05: Blogger CAPTCHA bypass

20:45 05.11.2007

Next participant of the project is Blogger’s captcha. It is captcha at popular blog service from Google, so it’s star captcha. All sites at Blogger service are in risk with this captcha.

This captcha is using at Post a Comment page and it’s hard one. I called such captchas hard-breakable (for bypassing methods, I’m not discussing OCR). But it’s still vulnerable for one of Advanced MustLive CAPTCHA bypass methods - in this case it is half-automated method. This Insufficient Anti-automation hole I found 19.08.2007.

In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). Put them to text file for next use by program for automated data sending with captcha bypassing. So you need to use captchaKey and captchaAnswer parameters (made manually) to bypass captcha and use securityToken parameter to bypass anti CSRF protection (you can use the same value for several times and you can download new values automatically by program, similar to previous captcha). For bypassing you need to use new captchaKey and captchaAnswer for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly).

I found this hole at jeremiahgrossman.blogspot.com (but all sites at Blogger are in risk). This is site of Jeremiah Grossman. You certainly heard about him :-) - he is well-known security guy. Security expert which is using insecure blog hosting (with vulnerable captcha).

Insufficient Anti-automation:

Blogger CAPTCHA bypass.html

Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.

Moral: try to make more secure captchas.

P.S.

Also I prepared info about another vulnerable Google’s captcha. So wait for today’s bonus post ;-) .


Leave a Reply

You must be logged in to post a comment.