[WEB SECURITY] my website captcha broken??

Gunter Ollmann gollmann at us.ibm.com
Sat Jan 31 18:06:22 EST 2009


Unfortunately, I don't believe you're going to be solving anything by
increasing the sophistication of the CAPTCHA itself. The technology has
already been beaten in so many different ways.

Instead, you'll have to be smarter about how you rate limit access to the
SMS sending - probably based upon a mix of IP address and some other
login/verification identifier.

Since SMS Spam is turning in to a healthy money earner for the bad guys, a
free portal for spamming from has a marketable value - so expect them to
use "more sophisticated" technologies (e.g. mechanical turks) to utilize
your SMS portal.

Here are a couple of my blog postings concerning CAPTCHA's (and their
"brokeness")...
http://blogs.iss.net/archive/MechanicalTurks.html
http://blogs.iss.net/archive/CAPTCHA.html


Cheers,

Gunter,





                                                                           
             Luis Matus                                                    
             <matus.investiga@                                             
             gmail.com>                                                 To 
                                       websecurity at webappsec.org           
             01/31/2009 01:11                                           cc 
             AM                                                            
                                                                   Subject 
                                       [WEB SECURITY] my website captcha   
                                       broken??                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




I need some advice. I work for a company that provides sms service on line
from our web  site. The websites uses captcha but some how hackers have
been able to break the captcha or work around it, because they (hackers)
have created a web capable to send sms through  our website.

I've know they're using our web site  because  whe can see their website
server IP in our database logs.


Do you have any pointers of how could the problem be adressed?

Perhaps you might have some similar stories that may give me a clue of how
they did it?

Greetings.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090131/0a522808/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090131/0a522808/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pic27004.gif
Type: image/gif
Size: 1255 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090131/0a522808/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20090131/0a522808/attachment-0002.gif>


More information about the websecurity mailing list