Many websites utilize a challenge-response mechanism know as CAPTCHA (Completely
Automated Public Turing test to tell Computers and Humans Apart) to protect
against automating the creation of user accounts, content, or otherwise abusing
services they provide.
Most common CAPTCHA systems work by generating
distorted characters, text, or pictures that can be easily recognized by the
human brain but present significant difficulty for computer OCR (optical
character recognition) or other image recognition systems.
Engineering. Although CAPTCHA may be fairly effective at verifying a reply is
from a human and not a computer they do not guarantee that it is from the human for which the challenge is intended.
A hosts a service protected by CAPTCHA verification.
- Website B is
set up by a party desiring to automate usage of the services of Website A.
- Website B offers users free access to content, but requires they
defeat a CAPTCHA challenge.
- Website B copies a CAPTCHA image
from Website A that it needs defeated and presents it to a user visiting
- The user provides the CAPTCHA response.
Website B provides the offered content to the user, and then uses their
response to defeat the CAPTCHA test on Website A.
In this way automation
residing on Website B can distribute the work of defeating CAPTCHA challenges to
many people that are unknowingly providing responses to challenges from
Website A. In some ways it is similar to a distributed computing model. Instead
of distributing tasks out to computers however, the idea here is to
distribute the CAPTCHA tasks out to humans.
This method was used by spammers 1994 to defeat a turing text-based spam
protection mechanism in Microsoft’s Hotmail service. The spammers promoted a
Web site containing pornography and required visitors to enter a CAPTCHA before
they are were granted access. The CAPTCHA that were used to access the porn
site were originally generated by the Hotmail service. The CAPTCHA solutions
entered by the visitors to the porn site were then used by the spammers to
solve the CAPTCHA challenges in Hotmail, allowing them to automate the creation
of new accounts for sending spam.
More recently, trojans such as Captchar
«a rel=”nofollow” href=”http://vil.nai.com/vil/content/v_143504.htm”>http://vil.nai.com/vil/content/v_143504.htm</a>>
have been utilizing this method as well.
Although it is possible to
identify the difference between a computer and a human there may yet be a
challenge in verifying that a given human response is from the intended
CAPTCHA+XSS+SQLInj = ?
Let’s say goodbye to CAPTCHA！！！