WebApp Sec mailing list archives
Re: Defeating CAPTCHA
From: Michal Zalewski <lcamtuf () dione ids pl>
Date: Fri, 26 Aug 2005 16:12:07 +0200 (CEST)
On Fri, 26 Aug 2005, Subs wrote:
For instance a picture of our planet, with text overlaid something like "3rd Rock From the Sun", "Home" or "Planet" with a question like What Would You Call This?
Probably a so-so idea, for a couple of reasons:
1) Answers limited to dictionary words or trivial phrases; susceptible
to brute force attacks with a chance of succeeding (you would
realistically have what, 500-5000 options).
2) The attacker who gets a hold of your image database and associated
terms can attack all installations rather easily - whereas random
character, random modification captchas are harder.
3) Computers can and do succeed at recognizing simple objects on
photographs or images, so even without the image database (but with a
thesaurus), this can be attacked.
In the short run, sure, it sounds more impressive; in the long run, it may
be even more useless than text captchas.
Cheers,
/mz
http://lcamtuf.coredump.cx/silence/
Current thread:
- RE: [WEB SECURITY] Defeating CAPTCHA, (continued)
- RE: [WEB SECURITY] Defeating CAPTCHA Michal Zalewski (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Chris Shiflett (Aug 25)
- Re: Defeating CAPTCHA Jayson Anderson (Aug 25)
- Re: Defeating CAPTCHA Andrew van der Stock (Aug 25)
- Re: Defeating CAPTCHA Mark Burnett (Aug 25)
- Re: Defeating CAPTCHA Stephen de Vries (Aug 25)
- RE: Defeating CAPTCHA Glenn Euloth (Aug 26)
- Re: Defeating CAPTCHA Christopher Kunz (Aug 31)
- Re: Defeating CAPTCHA Michal Zalewski (Aug 26)
- RE: [WEB SECURITY] Re: Defeating CAPTCHA Marian Ion (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Aug 28)
- RE: Defeating CAPTCHA wilsonc (Aug 29)
- Re: Defeating CAPTCHA Devdas Bhagat (Sep 05)