My project Month of Bugs in Captchas has finished and I’m summing up.
In the project took part 32 CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart): plugins, services, built-in in CMS and individual captchas. The list of project’s participants (in order of appearance): learnwpf.com, craigslist.org, Peter’s Custom Anti-Spam Image, reCaptcha, Blogger, Google, itua.info, mt-scode, wait-till-i.com, shamanomaly.com, opennet.ru, PHP-Nuke, digg.com, Peter’s Random Anti-Spam Image, expert.com.ua, cgisecurity.com, search.live.com, Cryptographp, uaxxi.com, PHP-Fusion, HBH-Fusion, Nucleus CAPTCHA bypass, AIP, peterhost.ru, Math Comment Spam Protection, thepoorhouse.org.uk, Anti Spam Image, Captcha!, internetua.com, IPB, WP-ContactForm, ESP-PIX.
Altogether there were published 75 vulnerabilities in mentioned captchas. Including Insufficient Anti-automation, Cross-Site Scripting (persistent and reflected), SQL Injection and Cross-Site Request Forgery vulnerabilities (and also redirector).
Results of the project: fixed 5 vulnerabilities from 75. It is 6,67% fixed vulnerabilities, which is much lower results of Month of Search Engines Bugs. Captchas developers need to attend more to reliability of their applications. Also there were published many captcha bypass methods (developed by me), which must be taken into account by web developers, for creating more reliable captchas.
Note, that there are not only Insufficient Anti-automation vulnerabilities in captchas, but also others types of vulnerabilities. Such as Redirector (MoBiC-05 Bonus), Cross-Site Scripting (MoBiC-12 Bonus, MoBiC-23 Bonus, MoBiC-26 Bonus, MoBiC-28 Bonus, MoBiC-29 Bonus), SQL Injection (MoBiC-20 Bonus) and Cross-Site Request Forgery (MoBiC-26). So developers of captchas need to improve their security.
Thanks for watching MoBiC project. Best regards. And attend to your security.