[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <200702030106.19043.noreply9871234@ich-habe-fertig.com>
Date: Sat, 3 Feb 2007 01:06:18 +0100
From: noreply9871234@...-habe-fertig.com
To: bugtraq@...urityfocus.com
Subject: Re: Defeating CAPTCHAs via Averaging
On Thursday 01 February 2007 01:52, Andreas Beck wrote:
> No, but it can be easily defeated by changing the placement/appearance
> of the number(s) as well as that of the noise or by keeping both
> constant over reloads.
>
> What is exploited here, is the fact that noise and payload behave
> differently on reload. This allows to separate them.
>
Exactly, this is the point.
> Please note, that averaging is a very simple technique to do that.
> Depending on the type of captcha, one can use methods that converge
> much more quickly. Simplest one would be to use the simple majority
> of pixel values or the median value, if slight global noise (e.g. from
> compression artefacts) is expected.
>
> This should yield almost perfect results with as low as 3 different
> images. Adding a tiny bit of spatial filtering might help as well.
>
My point of the initial article was NOT to demonstrate a new or especially
clever way to defeat a captcha. This would not really be something for
bugtraq as most of the captchas can be defeated by sophisticated
cutting-edge computer recognision software (see http://www.captcha.net/).
The main idea is to show how a design flaw (repeatedly presenting the
same information with different obfuscation) can be used to compromise
a captcha without the need for an especially clever algorithm.
So, it's not about how to defeat the captcha by recognizing the text but
how to defeat it by exploiting a design flaw.
And the good thing is: This design flaw can easily be avoided.
However, one has to be aware of it.
Regards,
Wolfgang Wieser
Contact: wwieser (at) gmx -dot- de
PLEASE do not CC me when posting to the list; I am subscribed.
Powered by blists - more mailing lists