lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <200702030106.19043.noreply9871234@ich-habe-fertig.com>
Date: Sat, 3 Feb 2007 01:06:18 +0100
From: noreply9871234@...-habe-fertig.com
To: bugtraq@...urityfocus.com
Subject: Re: Defeating CAPTCHAs via Averaging

On Thursday 01 February 2007 01:52, Andreas Beck wrote:
> No, but it can be easily defeated by changing the placement/appearance
> of the number(s) as well as that of the noise or by keeping both
> constant over reloads.
>
> What is exploited here, is the fact that noise and payload behave
> differently on reload. This allows to separate them.
>
Exactly, this is the point. 

> Please note, that averaging is a very simple technique to do that.
> Depending on the type of captcha, one can use methods that converge
> much more quickly. Simplest one would be to use the simple majority
> of pixel values or the median value, if slight global noise (e.g. from
> compression artefacts) is expected.
>
> This should yield almost perfect results with as low as 3 different
> images. Adding a tiny bit of spatial filtering might help as well.
>
My point of the initial article was NOT to demonstrate a new or especially 
clever way to defeat a captcha. This would not really be something for 
bugtraq as most of the captchas can be defeated by sophisticated 
cutting-edge computer recognision software (see http://www.captcha.net/). 

The main idea is to show how a design flaw (repeatedly presenting the 
same information with different obfuscation) can be used to compromise 
a captcha without the need for an especially clever algorithm. 
So, it's not about how to defeat the captcha by recognizing the text but 
how to defeat it by exploiting a design flaw. 

And the good thing is: This design flaw can easily be avoided. 
However, one has to be aware of it. 

Regards,
Wolfgang Wieser

Contact: wwieser (at) gmx -dot- de
PLEASE do not CC me when posting to the list; I am subscribed. 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ