RE: [WEB SECURITY] Defeating CAPTCHA

["Debasis Mohanty" <debasis () hackingspirits com>]

Early this year, I had an oppourtunity to work on CAPTCHAs. Also wrote a
program which can defeat simpler CAPTCHAs but it has its limitations. As the
complexities of the algo^m increases with increase in the CAPTCHA's
complexities, I had to drop it half way ;-) Thought it was a wastage of
time...

Pick from my post in FD - 
http://lists.grok.org.uk/pipermail/full-disclosure/2005-March/032708.html

There already exists few interesting projects around on circumventing
CAPTCHA ( http://www.captcha.net/ ). There are various alogorithms being
written to defeat simplests to the complex CAPTCHAs but only few CAPTCHAs
have survived such tests. 

A project devoted to breaking CAPTCHA systems can be found here:
http://sam.zoy.org/projects/pwntcha/ 

Here's a link to the original paper that discussed how they broke the
ez-gimpy system that Yahoo! uses (92%), and have about a 33% success rate
with the harder version, gimpy.
http://www.cs.berkeley.edu/~mori/gimpy/gimpy.html 


- D


-----Original Message-----
From: robert () webappsec org [mailto:robert () webappsec org] 
Sent: Wednesday, August 24, 2005 11:59 PM
To: websecurity () webappsec org; webappsec () securityfocus com
Subject: [WEB SECURITY] Defeating CAPTCHA

This was linked off of slashdot
(http://it.slashdot.org/article.pl?sid=05/08/24/1629213&tid=172&tid=95)
and explains some of the ways people are breaking CAPTCHA
(http://en.wikipedia.org/wiki/Captcha) based systems.

http://sam.zoy.org/pwntcha/

- Robert
robert_at_webappsec.org
http://www.cgisecurity.com


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/