lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 27 Jan 2007 03:00:13 +0100
Subject: Defeating CAPTCHAs via Averaging


This article describes how certain types of captchas (such as the ones used 
by a German online-banking site) can be automatically recognized using 
software. The attack does not recognize one particular captcha itself but 
exploits a design error allowing to average multiple captchas containing 
the same information. The result can be recognized by conventional OCR 
programs thereby defeating the captcha. 


The detailed article (including sample images) is online here:


Website developers can easily defend against this attack by not 
allowing the extraction of a series of different captcha images 
with same content. Instead, the image should change only when the 
text content changes. 

Captcha designers can defend agaist averaging attacks by not using 
noise-like distortions. For example, moving and rotaing individual 
letters by a large enough distance/angle will spoil averaging by 
reducing the contrast in averaged images.

Contact: wwieser (at) gmx -dot- de
PLEASE do not CC me when posting to the list; I am subscribed. 

Powered by blists - more mailing lists