Today I ran across a Firefox add-on that automatically fills out the CAPTCHA form when you log in:
https://addons.mozilla.org/firefox/4381/

Although some might think this is convenient, it obviously shows that eBay’s CAPTCHA, like so many others, fails to prevent automated form filling. So many CAPTCHA’s are poorly implemented either on the development end, the visual end, or on the user experience end that they are starting to get a bad reputation.

Here are some of the common mistakes I see:

• Setting the value of the CAPTCHA via the IMG tag url, so that any time you enter the same URL you get the same CAPTCHA value. This is vulnerable to several attacks, including client-side modification of the html source so that you can specify the URL you want.
• Setting the value of the CAPTCHA via the session ID, especially when the session ID is vulnerable to session fixation.
• Basing the CAPTCHA on anything else that the user can modify or manipulate.
• Obscuring a CAPTCHA by adding fonts, noise, patterns, grids, etc. is not going to prevent an OCR attack. An automated run through a few photo filters (increase contrast, remove noise, smooth) will make those techniques completely useless.
• Adding background colors does nothing. Do you really think a color is going to fool an OCR module?
• Providing multiple choice CAPTCHA’s (i.e., click on the right picture) that still guarantee a reasonable success rate.
• Using a single font, lined up characters, with even spacing.
• Inventing lame gimmicks as a new alternative to a CAPTCHA.

On the other hand, I see many CAPTCHA’s that are very difficult to use. If you have too much obscuring, the CAPTCHA fails because humans can’t decipher it either.

Some common annoyances on the user end are:

• CAPTCHA’s that you simply can’t decipher.
• CAPTCHA’s that use both O’s and 0’s.
• CAPTCHA’s that use upper and lower case and are case sensitive. The problem is that some letters look exactly the same in both cases and you can’t exactly tell which it is.
• CAPTCHA’s that are finicky and when you go back you have to fill out the entire form again.

Here’s an interesting link on defeating CAPTCHA’s:

http://sam.zoy.org/pwntcha/

Related posts

• No related posts.