lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 13 Apr 2010 23:44:55 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: "Jan G.B." <ro0ot.w00t@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Anthology of attacks via captchas

Hello Jan!

You are welcome.

> adding you to my killfile, now.

I did reciprocally (symmetrically) - added you to my blacklist. Thanks for
this short conversation.

In your letter there were some mistakes on which I need to answer. As for
all readers of the list, as for you (in case if you'll read it in the list).

First, it's not collection of vulnerabilities from 2007 - 2008, but from
2007 - 2010 (DoS holes in captchas I found in 2009, and begun disclosing
them in 2010).

Second, it's not "up to date". It's up to date, i.e. actual vulnerabilities
which concerns every developer or user of captchas. As all methods of
captcha bypass which I described in project Month of Bugs in Captchas, as
all other attacks mentioned in my article.

I constantly discover vulnerabilities in different captchas (especially
Insufficient Anti-automation vulnerabilities), I did it in 2007, 2008, 2009
and continue to do it in 2010 (and in the future). Everyone must understand,
that vulnerabilities in different captchas mentioned in my article were just
obvious cases of different attacks. So every captcha which was made or will
be made, can be affected to any of these attacks.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Jan G.B." <ro0ot.w00t@...glemail.com>
To: "MustLive" <mustlive@...security.com.ua>
Cc: <full-disclosure@...ts.grok.org.uk>
Sent: Monday, April 12, 2010 1:08 PM
Subject: Re: [Full-disclosure] Anthology of attacks via captchas


> Thanks for presenting this up to date collection of bugs from the
> years 2007 and 2008.
> I appreciate it - adding you to my killfile, now.
>
>
> 2010/4/9 MustLive <mustlive@...security.com.ua>:
>> Hello Full-Disclosure!
>>
>> Last month I wrote new article Anthology of attacks via captchas, for
>> which
>> I made English version yesterday (http://websecurity.com.ua/4107/). It
>> this
>> article I wrote about different variants of attacks via captchas.
>>
>> Attacks via captchas:
>>
>> * Captcha bypass.
>> * Redirector attacks.
>> * Cross-Site Scripting attacks.
>> * SQL Injection attacks.
>> * CSRF attacks.
>> * Information leakages.
>> * Denial of Service attacks.
>>
>> You can read the article Anthology of attacks via captchas at my site:
>> http://websecurity.com.ua/4107/
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ