[WEB SECURITY] my website captcha broken??

Mr Omnipresent® mr.omnipresent at gmail.com
Sat Jan 31 13:45:32 EST 2009


Hello Matus,

Though I am not an expert on this but afaik Captcha has been broken. We have
heard about how captcha was broken.  link below is for your reference.
http://ejohn.org/blog/ocr-and-neural-nets-in-javascript/
I would suggest you to implement a better captcha library/solution and
blacklist the IP ranges until this problem is fixed. You might also want to
implement some sort of time restriction that if some one is sending sms they
would need to wait for some time more to send the next SMS - this way you
could prevent them using your service from sub selling.

Thanks & Regards
Gaurav


On Sat, Jan 31, 2009 at 11:41 AM, Luis Matus <matus.investiga at gmail.com>wrote:

> I need some advice. I work for a company that provides sms service on line
> from our web  site. The websites uses captcha but some how hackers have
> been able to break the captcha or work around it, because they (hackers)
> have created a web capable to send sms through  our website.
>
> I've know they're using our web site  because  whe can see their website
> server IP in our database logs.
>
>
> Do you have any pointers of how could the problem be adressed?
>
> Perhaps you might have some similar stories that may give me a clue of how
> they did it?
>
> Greetings.
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090201/e5d1c13a/attachment.html>


More information about the websecurity mailing list