Thursday, September 3, 2009

Captcha protection at its best

Great thanks to Churchy for submitting this nice programming mistake. Unfortunately, this is not a singular case and the one or the other will find himself trapped into the same sort of problem. But don't bother, Churchy is explaining the pitfalls.

A common way to protect web forums or blog comment areas from unwanted spam without the need of manually checking all new messages before publishing them is to include captchas. Captchas are intended to be readable by humans only, thus preventing automated bots from submitting forms with spam content. However, a mechanism intended to rise the security level can also suffer from flaws that make the mechanism useless. A german news site seen in the first picture lets users post comments and includes a captcha. The first pitfall is obvious.
The letters and numbers in the captcha can be read easily. They look exactly like typed letters, are perfectly ordered, do not include optical noise, always have the same background, have the same size and are not rotated at all. No OCR software should have any problems in reconstructing the contents of the image. However, the second and probably even worse pitfall lies in the way the images are generated. Have a look at the source code of the site:
Who would need to find a way to reconstruct captcha images, if all you need to know is already waiting in the source code, easy to be parsed using regular expressions? Maybe the shown web site is not quite popular and submitted spam can easily be removed again by an admin, but why would you want to include a security measure that does not add any real security value at all? However, as flawed as the shown implementation might be, it may protects against bots that to not target this specific site (and flaws) but just randomly submit forms on any web site they find. Or, as Ted Humphreys would have said: Whether this solution is appropriate depends on the risk you are facing. :-)

1 comment: