Sunday, March 3, 2013

CAPTCHAS: How They Are Circumvented


I admit it, finding ways to go around security features isn't exactly the objective of this site. Nevertheless, while I was writing an article about CAPTCHA's, I found incredibly interesting to learn how spammers and robots tried to go around this technology. The potential of it is huge: not only could you send comment spams on any blog, you could also create an unlimited number of mail accounts, on Hotmail or Gmail for example.

There are basically three ways to circumvent CAPTCHA's.

Using character recognition Exploiting bugs and flaws Using human labor

Character recognition OCR (optical character recognition) softwares are getting better and better at finding what text is included in an image. Security companies as much as hackers can develop them. Basically, the program scans the image in which the visual CAPTCHA is engraved and tries to separate successfully the different letters and words. Once it has, it will try to read each letter individually. When the software succeeds at decrypting it, it will keep the image and the text in memory. This way, if it happens to fall on the same one again, it will only have to look trough the memory to find the answer. The existence of this technique forces websites to use different CAPTCHAs every time.

Bugs and flaws CAPTCHAs don't have to be actual images. They can be any system that detects if the user is a robot or a human. It does happen that these systems have flaws in them. It may take a while for a hacker to find it, but once he has, he can go through the "wall" without difficulty.

Human labor Yes, it does exist. When a robot stumbles on a website with a visual CAPTCHA, it can send it to another server where it will be shown to real humans that are accessing a certain website. Adult content websites are often used. This means that if you encounter one on a website that might not seem completely legit, you might actually be giving the answer of the CAPTCHA to a robot, that is only waiting on you to insert it in another website's form.

If you're not sure what a CAPTCHA is or want more information about it, I suggest reading this article.



Posted by at 7:15 PM
Labels: , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Twitter Facebook Flickr RSS



Français Deutsch Italiano Português
Español 日本語 한국의 中国简体。