MoBiC-20: Nucleus CAPTCHA bypass

20:41 20.11.2007

Next participant of the project is Nucleus captcha. Which is using at comment confirmation page. Vulnerable version is Nucleus 3.01 (and previous and possibly next versions).

Like Google said there are up to 2170000 sites in Internet on this engine. And including all those sites which use Nucleus, but have no “Powered by Nucleus” sign, there are potentially more millions of sites which are in risk with this insecure captcha.

This captcha is vulnerable for half-automated method (I’ll wrote about another more rapid method in bonus post). It is one of Advanced MustLive CAPTCHA bypass methods. This Insufficient Anti-automation hole I found 16.08.2007.

In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). For bypassing you need to use new code and myid values for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly). Those who don’t want to work by themselves, can use cheap work force to prepare image-code pairs or use OCR software (even for not real time recognition). Though this method allow personal captcha bypassing without additional resources (work force or OCR).

Insufficient Anti-automation:

Nucleus CAPTCHA bypass.html

This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Nucleus.

You need to setup exploit to test it (set site’s URL and others data).

Moral: try to make more secure captchas.


Also I prepared another vulnerability in Nucleus. So wait for today’s bonus post ;-) .

Leave a Reply

You must be logged in to post a comment.