Captcha. Ways to break and protect

Cross-post from our blog dedicated to computer security

Earlier, we wrote about captch vulnerabilities on Kyivstar and Beeline websites. Now we want your attention to provide our research on hacking and protecting captchas.

# Theory captcha

In 1950, Alan Turing wrote an article entitled “Computing Machines and Mind”, which was published in the philosophical journal Mind. The article dealt with a kind of test that can distinguish a person from a computer. We will not describe the details of the test, you can read it yourself on Wikipedia

So, captcha is one of the implementations of the Turing test, which is used to determine the user of the system: he is a person, or a computer. In other words, captcha protects the site from spam bots that leave messages in guest books, comments, etc.
')
Captch implementations - thousands. Basically, captcha are a kind of image with text that you need to define a person. Here are some examples of modern captchas:

# CAPTCH Vulnerabilities

Immediately answer the question: Why are trying to find vulnerabilities in captcha? The most basic goal is spam. And where there is spam - advertising. And advertising is money. Spammers write software, for example, which massively advertises their customers on the forums (leaving posts and private messages), in guest books, mail gates and other services. They write software bots that mimic human actions. In order to prevent mass messages, software developers use captcha. It can be an open-source solution, or “one’s own” or an individual solution. Using any of these solutions, programmers may make mistakes. It depends on the experience of the programmer, but not always. Sometimes a captcha is done correctly, but there are errors in setting up the server software or other factors.

Now we will look at several methods that can be used to circumvent the captcha:

1. Errors of the programmer

The most common mistake in captcha implementation is its technical implementation. The programmer may miss the subtle points in processing the result. For example, a captcha text can be transmitted in a session, or the name of an image file is that text. For example, http://markitup.com/Captcha.ashx?txt=G-SG (PageRank of this site is 5)

2. Optical character recognition

Optical Character Recognition ( OCR ) is an electronic conversion of images of characters and letters into text editable on a computer.

The simplest OCR is the reference. It consists in the most common reference comparison of numbers (letters) in the image.

This kind of vulnerability is very rare. But comes across major sites. An example of this is the captcha vulnerability on the Beeline website.

3. Bad idea

The essence of the method: a very good implementation of captcha is used (using noise, etc.), but for example, it is a three-character letter or letter captcha. In this case, you can choose a real brute force. This method is quite effective when a neural network is used - it is a botnet, stupid zombie machines that try to guess the image.

4. The human mind

This method consists in the fact that people are paid for the definition of captchas. For example, there are a lot of domestic services that pay up to $ 0.1 for determining one captcha. This is a real threat because it is hard to resist. The whole industry is built on this method.

# CAPTCHA PROTECTION

There are many different options for the implementation of a captcha. We will not describe these methods, but we focus your attention on ready-made solutions and a few tips.

When developing a captcha, you first need to focus not on beauty, but on complexity for automated bots. An example of this could be captcha, used by Google and Bigmir-Internet in their projects.

Secure captcha need to think very carefully. It is necessary to use various kinds of text distortions (for pictures with tsiferki and text), high-quality processing on the server side.

We also want to offer you to use ready-made secure solutions for organizing captcha on your website, blog and service. One of these is reCaptcha. This is not a pretty new captcha technology based on client-server technologies.
Example:

Quite difficult to bypass the captta, and easy for the user. The user is prompted to enter two words (or a set of numbers). The entered values ​​are sent to a reCaptcha server using a special API, where they are checked and your response script is sent a response: the correct input, or not the correct one.
It is very easy to integrate reCaptcha into popular blog and site engines. And also there are libraries for different programming languages.

# Conclusion

Today, there are a large number of types of captcha. Realizing the Turing test in any form, we can not be sure of its reliability. Therefore, you need to use either ready-made solutions or use the services of security specialists who can analyze your implementation and evaluate security.

Authors: Chernysh Vadim and Rybalko Dmitry , Glaive Security Group