[WEB SECURITY] Fake Captcha Protection

psteichen psteichen at gmail.com
Tue Apr 29 16:41:41 EDT 2008


Hi all,

I've only got a small question: What about the  reCAPTCHA (
http://recaptcha.net/) service, does anybody know if it has been defeated ?

On Tue, Apr 29, 2008 at 9:56 PM, Chris Weber (Casaba Security) <
chris at casabasecurity.com> wrote:

> You've pointed out a very important design aspect of Captcha's - they
> should prevent replay and reuse attacks.  This should be well-known to app
> security people.  Although I don't follow your question too well.  Are you
> asking how many Captcha's have been defeated?  I haven't been following too
> close but think this might still be a good reference for that:
> http://libcaca.zoy.org/wiki/PWNtcha  If you're really asking the number of
> bad guys who've defeated them, well I know at least two, and might guess 13
> total.
>
> Chris
>>
>
> -----Original Message-----
> From: The Burmese Hacker [mailto:hacker.ak at gmail.com]
> Sent: Tuesday, April 29, 2008 4:29 AM
> To: websecurity at webappsec.org
> Subject: [WEB SECURITY] Fake Captcha Protection
>
> Hello all
>
> A lot of web sites are using Fake Captcha Protection which can be
> defeated by "Replay" Attack.
> Recently, I found this hole in Ning.com, a growing social network site.
>
> How many bad guys have defeated those?
>
> Some captcha creation tutorials are also vulnerable to 'Replay' attack.
> Newbie developers are mis-using them in their applications.
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20080429/cb86d983/attachment.html>


More information about the websecurity mailing list