Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Visual Captchas AKA Word Verification Systems

From: "Tom K" <keetch_tw () hotmail com>
Date: Sun, 13 Jun 2004 18:27:22 +0000


Hi everyone,
Whilst trying to write an OCR program to solve visual captchas or "word verification" tests as they are called by online services, I noticed that with Yahoo the online forms which the captchas were trying to protect from bots could be submitted just by solving one image and changing the ".SecData" POST variable to the image name without it's extension. This means of course that a bot would not need to solve the captcha, which is quite a challenge at present. 

<INPUT type="hidden" name=".SecData" value="akasdmfhugfcvwenecjeeve--">
The purpose of these images is to prevent multiple account sign ups which I am told are often used by spammers and increase server load for other users. If the system in this instance is so trivial to defeat, why is it still being used?
I contacted Yahoo about this issue and I have recieved no reply, I have no idea of the scale of the problem of mass account holding so I'm not sure if this warrants "a fix". The problem must have been serious enough to warrant measures to be taken against it. Yahoo cannot be the only website using this technology, so what other sites could be vulnerable? Online E-mail providers, Banks, Shops?
So my first question is simply, why is word verification needed if (in this case) it is so flawed?
Secondly, would it be possible if anyone could kindly supply me with a few links to practical information on Optical Character Recognition, since I am still trying to improve my character recognition rate which is currently at 20-50% depending on the obfuscations applied. i.e. Grids, lines and fuzzing are easily removed, skewing is less so.
On a side note, the o2 online service, which allows free text messages, also allows multiple acounts per mobile number due to a flaw in its sign up system and free text messaging is a more tangible benefit than free email. 

Any info on OCR would gratefully be recieved,
Thanks in advance,


Tom Keetch

keetch_tw () hotmail com
EFNET #computerknights

_________________________________________________________________
MSN 9 Dial-up Internet Access fights spam and pop-ups – now 3 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: