MemeStreams | MemeStreams Discussion

Create an Account

This page contains all of the posts and discussion on MemeStreams referencing the following web page: Yahoo! CAPTCHA Cracked.. You can find discussions on MemeStreams as you surf the web, even if you aren't a MemeStreams member, using the Threads Bookmarklet.

Yahoo! CAPTCHA Cracked.
by Worthersee at 4:05 pm EST, Jan 29, 2008

A team of Russian hackers have found a way to read the CAPTCHA with 35% accuracy. Let there be no mistake: the CAPTCHA that Yahoo! deploys is believed one of the most difficult CAPTCHA's to crack. It utilizes bended alpha numeric characters and other features you might expect from a strong CAPTCHA, and still it's easy to solve by humans.

Impressive Russian hackers... Only failing roughly 2 out of 3 tries. The Russian hackers went on to say:

The CAPTCHA has a vulnerability we'll discuss later. It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition – one cent per one CAPTCHA.

Why can they get away with 100,000 tries per day?!?! That statement made me think that Yahoo's CAPTCHA sounds like a good candidate for the incremental delay anti-bruteforcing technique. In short, the incremental delay could decrease the number of successful attacks by delaying the response time from a failed automated attack.

After the first failed login attempt, for example, the response would be delayed by one second. After the second failed attempt, the response would be delayed by two seconds, and so on. A one-, two-, or even six-second delay is probably not going to bother a human user too seriously. Certainly he will find it less irritating than having to wait 30 minutes for his account to reactivate because he accidentally left his caps lock key on. On the other hand, an incrementing delay can completely defeat an automated tool being used for a brute force attack. Assuming the tool could normally make ten requests per second, the time it would take to make one thousand requests would jump from two minutes to five days. This pretty much renders the brute force attack tool useless.

If only to prevent Russian spammers from creating less bogus Yahoo email accounts to SPAM from; do you think incremental delay would help Yahoo?

RE: Yahoo! CAPTCHA Cracked.
by noteworthy at 8:14 pm EST, Jan 29, 2008

Worthersee asked:

Do you think incremental delay would help Yahoo?

I think the Russians (or any attackers) would just distribute the task over more nodes. If the slope of increasing delay were steep enough it might force them to be even more aggressive about "recruiting" zombies for their botnet.

If you tried to increment a global (site-wide) delay variable, then you would be exposing yourself to a denial of service attack.

RE: Yahoo! CAPTCHA Cracked.
by Worthersee at 10:31 pm EST, Jan 29, 2008

noteworthy wrote:
Worthersee asked:
Do you think incremental delay would help Yahoo?
I think the Russians (or any attackers) would just distribute the task over more nodes. If the slope of increasing delay were steep enough it might force them to be even more aggressive about "recruiting" zombies for their botnet.
If you tried to increment a global (site-wide) delay variable, then you would be exposing yourself to a denial of service attack.

I thought about the possibility of a distributed attack and agree that a "site-wide" delay variable would be a bad idea. The beauty of an individual session based incremental delay mechanism is that it can be used to throw security exceptions after n number of failed CAPTCHA attempts. A monitoring system could be configured to get IP addresses from those security exceptions. Admins then have the info they need to automatically block the botnet.