MoBiC-08: logical CAPTCHA bypass
22:49 08.11.2007Next participant of the project is logical Captcha. This is such type of protection where user asked to “check this box” to prove that he is not a bot. It’s popular and accessible type of captchas which are using at many sites. So there are a lot of sites which are in risk with such captchas.
First example is wait-till-i.com where logical captcha was used. This captcha is vulnerable to MustLive CAPTCHA bypass method. This Insufficient Anti-automation hole I found 25.10.2007.
For bypassing you need to use parameter “validemail” with value “d” for every post. This is classic MustLive CAPTCHA bypass method. Which easily bypass logical captchas.
Most interesting that after I informed admin of the site about hole in his captcha, and I was trying to inform all participants (sites with vulnerable captchas) of MoBiC project, he removed captcha from his site . This captcha decided to run away from me (it quit ahead of time). You can found this logical captcha in Yahoo’s cache (checkbox “Check this box if you are not a spammer”). Nevertheless the object was gained, lame captcha was hacked to death . So exploit is for demonstration only, because there is no captcha at all at the site. Now site’s owner need new and reliable captcha.
Insufficient Anti-automation:
wait-till-i.com CAPTCHA bypass.html
Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.
After first captcha I decided to find another logical one. Second example is shamanomaly.com with logical captcha. This captcha is vulnerable for two bypassing methods. These Insufficient Anti-automation holes I found 03.11.2007.
1. MustLive CAPTCHA bypass method.
For bypassing you need to use parameter “nonspammer” with value “1″ for every post.
2. JavaScript protection bypass method.
Checking is done with JavaScript, so if you turn off JS (which is common for bots) you can easily bypass it.
Insufficient Anti-automation:
shamanomaly.com CAPTCHA bypass.html
Guys not overdo with this Captcha bypass test. This exploit for educational purposes only.
Moral: never make such unreliable captchas.
П'ятниця, 20:41 09.11.2007
While I am bowing down to your superior knowledge about securing systems I am not happy at all about you publishing a way to inject unwanted comments into my blog.
I am paid to share my knowledge and I am using my blog as a free outlet to give to people what I consider should be free. You are pissing all over this attacking a system I didn’t develop.
If I have to spend 90% of my time securing this system I might as well not do it.
On the other hand, if you tell me what can be done to avoid this automated submission, I’ll be happy to write about it and give you the credit advertising you as a security expert in this case.
I give up things for free to make the web a better place, do you?
Субота, 18:46 10.11.2007
Chris
This is a project. And you (with your old captcha) became participant of it after you started to use that vulnerable captcha. If you look at the project description you’ll see, that participation in the project are voluntary - I voluntarily chose participants for the project . So it’s a fate, man. And all info posted in full disclosure, so you have all details freely available.
I can understand you Chris, that you not too happy with this (you don’t need additional spam at your site after details of hole was posted), but you chose this way after you put that lame captcha at your site. And after I informed you about that, you removed that vulnerable captcha (when upgraded your site’s engine) and now you need new and secure one. So now you in even more risk because you have no captchas at all.
And now my disclosure not giving any new info for bad guys to spam your comments, because there are no more that capctha. Now this is just educational material. But you need to protect your site. And I’ll help you.
I’m also mostly do all my work for free - share my knowledge and informing people and web app developers about holes in their sites and software. And working everyday to make Web more secure. I’m not talking about attacking you directly, but holes in software that you use (about such type of captchas - your site is just an example). So your fault is that you used that bad captcha, and I’ll help you to fix this.
Субота, 19:14 10.11.2007
You just use insecure captcha, because of lack of knowledge. And I opened your eyes on that. This is main task of my project - to help people to understand, that captchas not so secure and there are a lot of unreliable captchas. And for protecting from bad guys they need more reliable protection.
Chris I will certainly help you - it’s my work to make Web more secure and I’ll give you required information. For you, because you are not captcha developer, I give info how to protect yourself and your site from spam - you just need more reliable captcha. Man, don’t worry - all spammers who will attack your site will have to do with me. We’ll kick out them from your site.
Yes, I do. All my security work (published at my site) and social security audit that I do every day is doing for free - to make Internet better and secure place. And my previous project Month of Search Engines Bugs and my new project Month of Bugs in Captchas also designed for this purpose.
So, Chris, if you want, I’ll suggest you real solutions (on which you can look) for protecting from spammers and recommend you reliable captcha.
Понеділок, 01:40 12.11.2007
Dude, this is a retarded ’security bulletin’. Do you really think anyone (including Christian) thought this ‘captcha’ is unbeatable?
You’re completely missing out on the real purpose of a captcha like Christian’s. It relies on the fact that no spammer is going to tailor his spamming scripts to suit one particular site with an unusual captcha. And guess what? That approach works remarkably well!
And just to finish this off: Your captcha is vulnerable as well because human labour is cheap. And yours is dead easy to beat in software as well.
Gonna write a bulletin about that as well?
Понеділок, 23:57 12.11.2007
Marco
There are many vulnerable captchas in Interent. They are different types: image, text and logical, but every of them if have holes can be bypassed. So I’m talking in Month of Bugs in Captchas about vulnerabilities in different captchas. Including logical (as I wrote in this article).
Most people think captcha is effective solution (different types of captchas - people like different captchas, and use various ones for different porposes, but protection is main object of any captcha). In reality there are a lot of vulnerable captchas. Which can be byppased by bad guys - to spam at your site and to do any automated activity. So in my project I’m openning eyes of Internet community (and Christian and every user of logical captchas also) on this situation.
And if you don’t like any post at my site, just don’t read it. No need to write dissatisfactions in comments. It’s your decision.
Вівторок, 03:03 13.11.2007
Dude, I’m not missing out real purpose of logical capchas. I understand what purposes Christian and many others people have when using this type of captcha, but I’m talking about other side - a security side of this captcha (because security is object of any captcha). And in case of logical captchas security is very poor. So I’m talking about security, not accessibility, because MoBiC is security project and it’s security site.
Accessibility and security is double-edged sword, and people need to choose right solution. But balance can be achived. And independently of what you chose, you always need to attend to security. In case of such logical captchas it’s not possible, because they are insecure. Spammers can make solution for single site, if it’s popular enough, and spammers can make database of unusual captchas, to share their knowledge about bypassing such captchas (and in logical type it is very easy to do). Also for spammers not hard to make advanced bot which will be hacking many logical captchas by content analysis (because they are easy ones). And in case if not spammers, but others bad guys will go to your site, they easily bypass your logical captcha (independently of its originality). And they’ll attack your site hard with automated requests, because it’s vulnerability if you have no or poor anti-automation protection. So like I’m trying to tell you and Internet community - attend to security of your site.
Marco, I know that my captcha can be bypassed by cheap work force and by OCR, but the main thing, that my version has no bypassing vulnerabilities (after I remade it). And it’s still very effective solution (which proved itself).
As I wrote at my site before and as said Wikipedia there are three types of bypassing: Human solvers (work force), Computer character recognition (OCR) and Insecure implementation (vulnerabilities). In my Month of Bugs in Captchas I’m talking only about third type of bypassing - vulnerabilities in captchas. So you missed main idea of my project - insecure implemented captchas. Which can be bypassed (with my methods) more quickly and cheaper, and so more effective, than with using work force or OCR.
No. I’ll not write about work force and OCR methods of bypassing, only about vulnerabilities in captchas directly. Which allow bots to bypass captchas for different automated activity. The topic about insecure implemented captchas is little known, so I’m reminding about it to Internet community.