Tuesday 29 January 2008

Methodology/Issues of Blogger's CAPTCHA - Updated

CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart. It is nothing but some word verification things that will be found on sites to avoid spam. The idea behind this is - people cannot script to post some data on to the sites unless they fill the text or data in the image they provided. Entered text along with the key will be sent to server for verification and it will permit the request if the entered one matches with the one in the database.

Just found by some browsing, that eBay's captcha can be easily cracked and can be filled with the script. There is an extension for that. I'm sure they may not be reading the image and filling it. They might have found some sort of defect in their implementation.

Just found some on my own on blogger captcha. Blogger captcha's server will generate a key and associate the data that is kept in the image with the key and stores the pair in its database. When the user fills the data and do the submit, server will receive the user filled in data and the key. Server will compare them with the data stored in the database for verification. Once verified, it will be delete that pair from its database. If I get some key data pair and won't use them i.e., don't submit the data to server, we can use it at any time. This part I tested. So, by script, if I'm able to have many submit's to the server very fast using the same key data pair before the server deletes them from its database, we can spam the server with the messages. But, I'm not able to test this with script to see whether I can use the same key data pair multiple times. I want to say that I want to take advantage of the minute time difference between handling the submit request and deleting the key data pair from database.

Also, one more thing here is - by giving the GET requests continously to the server, it will just keep generating the key data pairs and will store them in its database. By doing this, its database of key data pairs can become full. But, I signed saying I won't run scripts on this server, so, I can't run script on this site :)

>>Update1
I have a doubt. How to create/write a program given the text to produce the image having that text in some slanting or some zigzag manner? Hadn't found myself any answers.

>>Update2
We saw the eBay's CAPTCHA got hacked. And, we saw the problems with Blogger's CAPTCHA, I mean, database becoming full (ofcourse, this is not big problem) and the locks etc.. Seeing all these problems what may be the best way of implementing captcha?

4 comments:

Puthali said...

ah not bad, you tuk my advice after all :)
'n for producing the image, i don't think it is difficult, one of the simple things wud be to use normal alphabets, on lot of background noise, which looks like alphabets but ain't, these kinds r common in file sharing sites...btw i just got an idea of how google can use an interactive game, to produce large number of such images, kinda similar to the tagging images game... :)

Vishnu said...

Relating this to tagging images game is mind blowing..
And I'm not able to get what file sharing sites will do here..
And, still I'm not getting how to make such images given a text or data. I mean how to write such program? I guess I'm struck with just traditional programming of C..

Vijesh said...

Better CAPTCHA by more Randomness.
Human Computation

Vishnu said...

Thanks a lot Vijesh.. Its really useful comment.