Re: Anthology of attacks via captchas

["MustLive" <mustlive () websecurity com ua>]

Hello Jan!

You are welcome.

> adding you to my killfile, now.

I did reciprocally (symmetrically) - added you to my blacklist. Thanks for
this short conversation.

In your letter there were some mistakes on which I need to answer. As for
all readers of the list, as for you (in case if you'll read it in the list).

First, it's not collection of vulnerabilities from 2007 - 2008, but from
2007 - 2010 (DoS holes in captchas I found in 2009, and begun disclosing
them in 2010).

Second, it's not "up to date". It's up to date, i.e. actual vulnerabilities
which concerns every developer or user of captchas. As all methods of
captcha bypass which I described in project Month of Bugs in Captchas, as
all other attacks mentioned in my article.

I constantly discover vulnerabilities in different captchas (especially
Insufficient Anti-automation vulnerabilities), I did it in 2007, 2008, 2009
and continue to do it in 2010 (and in the future). Everyone must understand,
that vulnerabilities in different captchas mentioned in my article were just
obvious cases of different attacks. So every captcha which was made or will
be made, can be affected to any of these attacks.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "Jan G.B." <ro0ot.w00t () googlemail com>
To: "MustLive" <mustlive () websecurity com ua>
Cc: <full-disclosure () lists grok org uk>
Sent: Monday, April 12, 2010 1:08 PM
Subject: Re: [Full-disclosure] Anthology of attacks via captchas


> Thanks for presenting this up to date collection of bugs from the
> years 2007 and 2008.
> I appreciate it - adding you to my killfile, now.
>
>
> 2010/4/9 MustLive <mustlive () websecurity com ua>:
> > Hello Full-Disclosure!
> >
> > Last month I wrote new article Anthology of attacks via captchas, for
> > which
> > I made English version yesterday (http://websecurity.com.ua/4107/). It
> > this
> > article I wrote about different variants of attacks via captchas.
> >
> > Attacks via captchas:
> >
> > * Captcha bypass.
> > * Redirector attacks.
> > * Cross-Site Scripting attacks.
> > * SQL Injection attacks.
> > * CSRF attacks.
> > * Information leakages.
> > * Denial of Service attacks.
> >
> > You can read the article Anthology of attacks via captchas at my site:
> > http://websecurity.com.ua/4107/
> >
> > Best wishes & regards,
> > MustLive
> > Administrator of Websecurity web site
> > http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/