CAPTCHAs: Are they really hopeless?
[Yes]
Presented by Mike Spindel and Scott Torborg at DEFCON 2008
The materials below are presented without warranty or support. If you wish to email us with questions or comments, you may receive a reply, but don't count on it.
Abstract
CAPTCHAs are widely used to protect websites against malicious robots. Yet, CAPTCHAs are being broken routinely by spammers, malware authors, and other nefarious characters. This talk will review and demonstrate many of the implementation weaknesses that are routinely exploited to break image-based CAPTCHAs, and offer suggestions for improving the effectiveness of CAPTCHAs. Rather than attempt an in-depth examination of any single CAPTCHA or technique, we will present a broad overview of tools with the aim of making it easy for anyone to take a shot at cracking the CAPTCHAs on present and future high-profile sites.
Slides (PDF)
Demo Code
The demo code below requires PyCAPTCHA, pyDes, and web.py.
| No state retained by server | server-nostate.py | client-nostate.py |
|---|---|---|
| Bad CAPTCHA id encoding | server-badencoding.py | client-badencoding.py |
| Server presents variants | server-variants.py | client-variants.py |
| Secure (ish) implementation | server-secure.py | client-secure.py |
Tools and Stuff
| Converting back and forth between Tesseract box files and SVG. | box2svg.py | svg2box.py |
|---|