Bugtraq mailing list archives
Re: Defeating CAPTCHAs via Averaging
From: noreply9871234 () ich-habe-fertig com
Date: Sat, 3 Feb 2007 01:06:18 +0100
On Thursday 01 February 2007 01:52, Andreas Beck wrote:
No, but it can be easily defeated by changing the placement/appearance of the number(s) as well as that of the noise or by keeping both constant over reloads. What is exploited here, is the fact that noise and payload behave differently on reload. This allows to separate them.
Exactly, this is the point.
Please note, that averaging is a very simple technique to do that. Depending on the type of captcha, one can use methods that converge much more quickly. Simplest one would be to use the simple majority of pixel values or the median value, if slight global noise (e.g. from compression artefacts) is expected. This should yield almost perfect results with as low as 3 different images. Adding a tiny bit of spatial filtering might help as well.
My point of the initial article was NOT to demonstrate a new or especially clever way to defeat a captcha. This would not really be something for bugtraq as most of the captchas can be defeated by sophisticated cutting-edge computer recognision software (see http://www.captcha.net/). The main idea is to show how a design flaw (repeatedly presenting the same information with different obfuscation) can be used to compromise a captcha without the need for an especially clever algorithm. So, it's not about how to defeat the captcha by recognizing the text but how to defeat it by exploiting a design flaw. And the good thing is: This design flaw can easily be avoided. However, one has to be aware of it. Regards, Wolfgang Wieser Contact: wwieser (at) gmx -dot- de PLEASE do not CC me when posting to the list; I am subscribed.
Current thread:
- Re: Defeating CAPTCHAs via Averaging Andreas Beck (Feb 01)
- Re: Defeating CAPTCHAs via Averaging noreply9871234 (Feb 07)