Lesson two on what not to do with a CAPTCHA
August 22nd, 2007 by 
mb
In my previous post on CAPTCHAs I mentioned that “…you need to make sure the end user can’t do anything to influence what code you pick.”
For this example, I will pick on captchas.net, which provides a free CAPTCHA service for anyone to use on their web site. While this is pretty cool of them to provide this for free, there is a serious flaw with their implementation. In fact, it is actually a flaw I have seen more than once in some form or another.
The problem with captchas.net is that they allow you to set your CAPTCHA parameters on the image URL. The parameters you can set include the length of the CAPTCHA and the character set used.
Now my first thought is what would happen if we say we only want one letter and we only want the letter Z? We might use this URL as the CAPTCHA image:
http://image.captchas.net?client=demo&random=&alphabet=z&letters=1
This will return an image like this:
As you can see, by modifying the client-side source code, you can make sure the CAPTCHA is always just the letter Z. For any of you who haven’t caught on so far, that means we always know the answer to the CAPTCHA will also always be the letter Z. This client-side modification could even be done automatically with a browser plugin or as part of an automated script.
I do, however, need to mention that there are ways to still use captchas.net and make it secure. The key is to track the CAPTCHA secret on the server side to be able to detect any client-side modification. If using asp.net, it might also help to use viewstate with a MAC.
No tag for this post.Related posts
Posted in Windows Security | 
August 22nd, 2007 at 5:10 pm
I think it’s pretty funny that the CAPTCHA used to enter this comment would be very easy to solve…
August 22nd, 2007 at 6:01 pm
Haha, great comment. Fortunately, despite all the weaknesses, even the worst CAPTCHAs still are effective in blocking spam. At least for now.
August 22nd, 2007 at 10:19 pm
Hi Mark, thanks for concerning about our system.
You are right, it’s a feature to choose the length and alphabet of the captcha code. But these parameters are chosen by the provider, using our system. Anyone can retrieve thousands of images from our server, where the code is fixed, e.g:
http://image.captchas.net/?client=protector&random=xyz&letters=4&alphabet=zzzzzzzzzz
But if the provider of a form has chosen the parameters letters=4 and alphabet=1234567890, it doesn’t help to know the code from the parameters letters=4 alphabet=zzzzzzzzzz
http://image.captchas.net/?client=protector&random=xyz&letters=4&alphabet=1234567890
For what you can use this “weakness”, is to generate thousands of images to train an OCR.
Regards, Felix
August 22nd, 2007 at 11:35 pm
Thanks for adding that. It’s good to see you thought that through. And thanks for providing your service to anyone for free.
The point here isn’t so much to point out flaws in any particular system, but to demonstrate in general what kinds of flaws do exist.
It’s also important to take this all into perspective: a CAPTCHA only slows down spammers and even something as simple as saying “Enter the letter Y in the following box” will usually accomplish just that.
Nevertheless, even the best CAPTCHAs are flawed due to the nature of the technology itself. It’s only through the constant analysis that our collective knowledge will further the technology.
August 23rd, 2007 at 1:52 am
Unless you are hotmail, os someone else super-big, it really isn’t efficient to break any cptacha. Hence, a super-simple, unchanging captcha is just as effective as those nasty wobbly spotty ones.
I like your captcha a lot.
August 25th, 2007 at 2:57 pm
great article :p
i see this inviting anti-spam image you have, just waiting to be cracked..
correct me if i’m wrong, but one could simply change the antiselect variable in the image source to 1, and the word would always be plan
August 25th, 2007 at 5:37 pm
You are exactly correct, the CAPTCHA I use is a WordPress plugin by Peter’s Custom Anti-Spam
http://www.theblog.ca/?p=21
This particular CAPTCHA definitely sucks more than the ones I am criticizing but it is simply a first layer of protection that just reduces the number of comments I have to moderate. And it works well for that.
It is important to distinguish the difference between the quest for the perfect CAPTCHA and the everyday application of CAPTCHAs. Most people agree that CAPTCHAs are fairly weak but fortunately they still work for now.
Still, that doesn’t excuse us from studying CAPTCHAs, analyzing the weaknesses, and learning to build more effective security measures for the future.