The Dirty Truth About CAPTCHAs - Even The Best Get Hacked - Ask Yahoo!
January 29th, 2008 | by Ginnie | (Visited 29,897 times)
Years ago, people had no idea what a CAPTCHA was. Around 2000, the term came into existance, as an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”. The first CAPTCHA was developed by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University. As comment systems, login systems, and spam became more pervasive on the web, it began to be employed as a means to protect robots from having access where they shouldn’t.
Now, CAPTCHAs are ubiquitous and we’ve grown so used to them as security devices we view them as a nice lock on the door. Except, much like a lock… they too get picked (or cracked as the case may be).
Came across this and found it interesting:
It has been suggested before that it would be a matter of time, but now it seems official: The Yahoo! CAPTCHA is no-more. A team of Russian hackers have found a way to read the CAPTCHA with 35% accuracy. Let there be no mistake: the CAPTCHA that Yahoo! deploys is believed one of the most difficult CAPTCHA’s to crack. It utilizes bended alpha numeric characters and other features you might expect from a strong CAPTCHA, and still it’s easy to solve by humans. I think this is a great leap in character recognition and the death punch to the Completely Automated Public Turing test to tell Computers and Humans Apart. I have a weak believe in CAPTCHA’s these days, since there will always be a way to compute something that requires human interaction. Whether it be image CAPTCHA’s, audible ones or simply Javascript based CAPTCHA’s.
The Russian hackers had this to say about the Yahoo! CAPTCHA:
“The CAPTCHA has a vulnerability we’ll discuss later. It’s not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100.000 tries per day, taking into the consideration the price of not automated recognition – one cent per one CAPTCHA.” - which seems a plausible conclusion.
The released software package shows us some inside techniques, the implementation of yahoo CAPTCHA recognition engine can be found here:
(link removed)
As a programmer, I’ve always been a fan of any anti-hacking/anti-spam device, but I also prefer to use obscurity to my advantage by rolling my own. When something is adapted by other sites, you only need to hack one or two to figure out how to hack the rest. With self-built solutions, it’s easier to add in extra layers of obscurity and security. May not be the best coding practice, but it’s worked as well as the alternatives many of the times 
Check Out Some Related Posts
- Video: Babies = Cute.. Puking = Disgusting.. Babies Puking? Oddly Hilarious..
- Braveheart - As A Psycho Cyborg, Done In 5 Seconds, And As Done By Monkeys
- Hacking The Grocery Store Self-Checkout - 3 Ways Thieves Are Making YOU Pay For What They Don’t
- The War We All Lose - What Happens When The Internet Brings Us The Unpatriotic Parts Of The War
- Video Game Violence: How Long Can You Watch This Video Without Feeling Uncomfortable?
- Where Do You Store YOUR Important Documents? Is Your Will, House Deed, Or Power Of Attorney Backed Up And Accessible?
- The 3 Easiest Changes For Lifelong Weight Loss You’ll Ever Love Making
“The accuracy of 15% is enough when attacker is able to run 100.000 tries per day, taking into the consideration the price of not automated recognition – one cent per one CAPTCHA”
Even a 1% accuracy might be enough, depending on the nature of the attack