Monday, June 27, 2011

Captcha cracking

I friend asked me yesterday if I could do the image processing needed to break Captcha. 

Captcha = "Completely Automated Public Turing test to tell Computers and Humans Apart".

If your not sure what a Captcha is read:

I told him there were already libraries out there to break Captcha, and it's probably not worth my time, as interesting as a problem is it. 

PWNtcha - captcha decoder
PWNtcha stands for "Pretend We’re Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs.

Using AI to beat CAPTCHA and post comment spam

Gimpy, Breaking a Visual CAPTCHA

MegaUpload captcha cracking in JavaScript
This was certainly the last thing we expected to see today. [ShaunF] has created a Greasemonkey script to bypass the captcha on filehosting site Megaupload. It uses a neural network in JavaScript to do all of the OCR work. It will auto submit and start downloading too. It’s quite a clever hack and is certainly helped by the simple 3 character captcha the site employs. Attempting to do the same thing with ReCAPTCHA has proven much more difficult.
UPDATE: [John Resig] explained of how it works.
Captcha breaking sweat-shop with Web Service API

Cracking CAPTCHA with Padding Oracle attack

Video shows how to crack all CAPTCHA in a target website using only JavaScript hosted on a different machine. We do that by exploiting Padding Oracle and web browsers cross-domain information leakage vulnerabilities. One can easily turns this exploit into a distributed attack. Paper at for more technical details.

Social Engineering - involves manipulating people to get them to solve some problem for you. in the case of CAPTCHA, this can be easily done by providing bate such a free porn.  Solving and creating captchas with free porn. Now defunct.
CAPTCHA Killer is 100% focused on increasing accessibility on the Internet. There are over 1 Million Americans that suffer from blindness. CAPTCHA Killer can be used to automatically translate an image into the underlying text. (CAPTCHA Killer may only be used in accordance with the Terms Of Service of each website* - please read the agreements.)

For an overview on why visual captchas are a bad idea, see Matt May’s excellent presentation, Escape from CAPTCHA, as well as the W3C’s Inaccessibility of Visually-Oriented Anti-Robot Tests working draft.

More reading about Captcha

1 comment: