среда, 16 января 2008 г.

Yahoo! CAPTCHA is broken

Hello! We're security researchers from Russia. Our fields of interest: security research, OS security, machine learning. This blog is dedicated to our security research.

Few months ago we received information that yahoo CAPTCHA recognition system exists in the wild with the recognition rate about 30%. So we decided to conduct few experiments. We explored yahoo CAPTCHA and designed a similar system with even better recognition rate (about 35%). The vendor was notified. The vendor didn't reply. In this article we’ll present you our own research.



Many internet resources that specialize in CAPTCHA recognition claim that yahoo CAPTCHA is very difficult for machine recognition.



http://sam.zoy.org/pwntcha/ - “A very good captcha, but not always human-solvable”


http://www.lafdc.com/captcha/ - “Very difficult”


http://captcha.ru/articles/visual/ - “Very good”



However, that’s not right. Your CAPTCHA has vulnerability we’ll discuss later. It’s not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100 000 tries per day, taking into the consideration the price of not automated recognition – one cent per one CAPTCHA.


The implementation of yahoo CAPTCHA recognition engine is here . It consists of two projects (client and server).
First project (server) needs MATLAB 2007a Compiler Runtime (MCR) installed. It waits for a connection and receives CAPTCHA, after that it sends recognized CAPTCHA text string back to client.
Client reads jpg-files in test1 directory and sends them one by one to the server located on the same machine.


If you have any questions or propositions, please contact us. We’re open to discussions.

NetworkSecurityResearch@gmail.com




-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 8.1

mQGiBEeN+VYRBADQgAFM+oFlMCVyM93B9Mrm7GltHQ1cyf+AIzy3tq29l5eq4zkZ
Kx+QdSvz+chRWjYAjgUS9zgSwzoQa1ZRsTd9o4mhL6hukYxp7IU/s7T8gg2wUkYF
3MHJctgrkj2K+Ux64jy7ONw2XrDcRUjd0Q8fVHS7hRzYhi6v6fuXCWi/+wCg/xuj
n7zGVhf4zN1zKQmdzb7PLjcD/3qhMtsZrzB7Hcf+LnU6WLdqT+Vm6d+QUjAKVxAE
o4cXtqZIfLc3HTF1WdzUb0JsSS8HiOmy3Xi3ckr8DRnwa+jU+nwel5p9E2sn67GV
Izl+lDLBjM6DAnja/MA40Ddu/kOVgysKmgrlHShm+ybji5bgMaP3q7zPG3GwbO/m
p0W7BADIbDDsM3snTJLtEkK3j3lkE2WIMDaMZy5jGADfdnM/7N26S7ONDJuG7I5s
71BNjHwlOHbuW4HtZsSzUa9DgPMCOT8p/mii+OpLOsnyFKWs1fssG3wyMSu7FXdL
uivaXH2DxCDNDqOG48XXz8d1hx2CWqFxB2Im8uFzVYmT6tC2CrQ9TmV0d29yayBT
ZWN1cml0eSBSZXNlYXJjaCA8TmV0d29ya1NlY3VyaXR5UmVzZWFyY2hAZ21haWwu
Y29tPokAXQQQEQIAHQUCR435VgcLCQgHAwIKAhkBBRsDAAAABR4BAAAAAAoJEBTq
o++UHsXIrYkAoIUtLN0TBrVFwEM0hR3Oksc6PNVtAJ9lKMsN8+Lwrd5s+EN6Vuc3
nQ/i0LkEDQRHjflWEBAA+RigfloGYXpDkJXcBWyHhuxh7M1FHw7Y4KN5xsncegus
5D/jRpS2MEpT13wCFkiAtRXlKZmpnwd00//jocWWIE6YZbjYDe4QXau2FxxR2FDK
IldDKb6V6FYrOHhcC9v4TE3V46pGzPvOF+gqnRRh44SpT9GDhKh5tu+Pp0NGCMbM
HXdXJDhK4sTw6I4TZ5dOkhNh9tvrJQ4X/faY98h8ebByHTh1+/bBc8SDESYrQ2DD
4+jWCv2hKCYLrqmus2UPogBTAaB81qujEh76DyrOH3SET8rzF/OkQOnX0ne2Qi0C
NsEmy2henXyYCQqNfi3t5F159dSST5sYjvwqp0t8MvZCV7cIfwgXcqK61qlC8wXo
+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh01D4
9Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscBqtNb
no2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFstjvbz
ySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISnCnLW
hsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVes91hcA
AgIQALg1uiEsWMaa9mpNDH4uBSa+tFbz/mEqoV6G8w6LK+XdzbohQQa1cQgr5J44
PPrhe/1uS9llrt4WtUsChFFNJqMM3sURLE7c7uWdVVabKQoXOY+c0wiuMmJ+O5WZ
BaKJLNUvgZBTqsBFs2dttF2AjJCR5u2Yg+yVjeKzbvhJtEwIs14DYIAkS6768E2K
eJfoJUls7Cr5GKXNoFeV3vYQK56bNOsbeObeIbuZvarbelrJIFspLBt1wYqZH9zt
gek/Oz/GJvZwxGbPQhTTtLKMrzzbWWMudaEOX2/HkQFnOyp/57AoZVYK8z2/6H5N
sdIukFynx4BIMgxjhVffp73rshzsDpuSd2GJWzOoxa0hvw4y7DiVQ/VZPC4bFAzQ
lYyEfi0M6JRjthalrVAmWPraXtZoctTK+B3/Jb8rr2W4twJCWl6xP7vsgDM/yTmG
QDMNVM62YKH/R1K0/avqTso7RXrL3I1z5idQ3tjGQj+OEJIjkvDGeq5aqGbkXSTr
XhO7hPspNBUa86kRS20g3OGrMLxVZIDKeRaPrZFaVEQ3+48b5qcmKA6i7SAgYtf9
MskaRTPknB1G/LNS2+Wh1j1MBvmicfdxuD+W//KURlhtJEtFb+5uSqdt5/148dGU
pd/EMBLbbyVQX0mtbtmTEBMmRgw2OLcwTE9+b531OWKc0VCZiQBMBBgRAgAMBQJH
jflWBRsMAAAAAAoJEBTqo++UHsXI99gAoKHO03H+us50GVQaYpBsdMA00V9cAJ4s
YHrXFcQNqu1okd2Rx9iADQSWMA==
=pp5+
-----END PGP PUBLIC KEY BLOCK-----

10 комментариев:

Ashly комментирует...

Great job!!

Ashly A K

Анонимный комментирует...

"Российские программисты обошли систему CAPTCHA на портале Yahoo"

Респект и уважуха, ребята.

Анонимный комментирует...

+1 молодцы!

Анонимный комментирует...

пидорасы вы тупые. Стольким людям бизнес попортили.

Анонимный комментирует...

I just want to mention the amusing fact that this blog requires a captcha to post, and it looks pretty easily broken.

Анонимный комментирует...

go west! Now you are slashdotted: http://it.slashdot.org/article.pl?no_d2=1&sid=08/01/30/0037254

Himanshu Sonkar комментирует...

Hi there.. Any idea where can i get MATLAB from?

Анонимный комментирует...

2аноним (24 Январь 2008 г. 5:15):

Не думаю, что их бизнес слишком пострадал. А жадничать нехорошо, заплатили бы спецам за укрепление капчи и никто бы никогда ее не преодолел.

Анонимный комментирует...

Они наверное вас кинули с деньгами отказались от ваших услуг и вы их трахнули молодци так их в зад! только gmail не трогайте! плиз! =)

Apple's man комментирует...

Да уж, постарались наславу!