lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
From: keetch_tw at (Tom K)
Subject: Visual Captchas AKA Word Verification Systems

Hi everyone,

Whilst trying to write an OCR program to solve visual captchas or "word 
verification" tests as they are called by online services, I noticed that 
with Yahoo the online forms which the captchas were trying to protect from 
bots could be submitted just by solving one image and changing the 
".SecData" POST variable to the image name without it's extension. This 
means of course that a bot would not need to solve the captcha, which is 
quite a challenge at present.

<INPUT type="hidden" name=".SecData" value="akasdmfhugfcvwenecjeeve--">

The purpose of these images is to prevent multiple account sign ups which I 
am told are often used by spammers and increase server load for other users. 
If the system in this instance is so trivial to defeat, why is it still 
being used?

I contacted Yahoo about this issue and I have recieved no reply, I have no 
idea of the scale of the problem of mass account holding so I'm not sure if 
this warrants "a fix". The problem must have been serious enough to warrant 
measures to be taken against it. Yahoo cannot be the only website using this 
technology, so what other sites could be vulnerable? Online E-mail 
providers, Banks, Shops?

So my first question is simply, why is word verification needed if (in this 
case) it is so flawed?

Secondly, would it be possible if anyone could kindly supply me with a few 
links to practical information on Optical Character Recognition, since I am 
still trying to improve my character recognition rate which is currently at 
20-50% depending on the obfuscations applied. i.e. Grids, lines and fuzzing 
are easily removed, skewing is less so.

On a side note, the o2 online service, which allows free text messages, also 
allows multiple acounts per mobile number due to a flaw in its sign up 
system and free text messaging is a more tangible benefit than free email.

Any info on OCR would gratefully be recieved,
Thanks in advance,

Tom Keetch
EFNET #computerknights

MSN 9 Dial-up Internet Access fights spam and pop-ups  now 3 months FREE!

Powered by blists - more mailing lists