[WEB SECURITY] Defeating CAPTCHAs via Averaging (fwd)

[bugtraq@xxxxxxxxxxxxxxx]

Forwarding along.

> Subject: Defeating CAPTCHAs via Averaging
> Date: Sat, 27 Jan 2007 03:00:13 +0100
> 
> Summary
> =======
> 
> This article describes how certain types of captchas (such as the ones used 
> by a German online-banking site) can be automatically recognized using 
> software. The attack does not recognize one particular captcha itself but 
> exploits a design error allowing to average multiple captchas containing 
> the same information. The result can be recognized by conventional OCR 
> programs thereby defeating the captcha. 
> 
> Details
> =======
> 
> The detailed article (including sample images) is online here:
> http://www.cip.physik.uni-muenchen.de/~wwieser/misc/captcha/
> 
> Countermeasurements
> ===================
> 
> Website developers can easily defend against this attack by not 
> allowing the extraction of a series of different captcha images 
> with same content. Instead, the image should change only when the 
> text content changes. 
> 
> Captcha designers can defend agaist averaging attacks by not using 
> noise-like distortions. For example, moving and rotaing individual 
> letters by a large enough distance/angle will spoil averaging by 
> reducing the contrast in averaged images.
> 
> Contact: wwieser (at) gmx -dot- de
> PLEASE do not CC me when posting to the list; I am subscribed. 
> 


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

The Web Security Mailing List: 
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]