Thursday, December 3, 2009

How some CAPTCHAs are being broken (and how to fix it)

I've noticed that CAPTCHAs are becoming increasingly futile in combating automated sign-ups, as well as becoming increasingly prevalent in places where it doesn't make sense to put them. So a while back, I connected the dots into a theory on how CAPTCHAs are being circumvented in bulk quantities (after some further research, it turns out that this method is actually in use).

It's essentially a form of covert crowdsourcing: If you have a high-traffic site that requires a sign-up, you could in theory simultaneously create an account on some other CAPTCHA-enabled site by forwarding the CAPTCHA to the user signing up on your site, and as your user solves it, forward the result to your own sign-up session on the target site.

There's a lot going on in this, so I'll divide it into two parallel time lines (blue italic is malicious site, red is target site):

  • User loads registration sign-up page

  • Sign-up session on target site is started, malicious site downloading CAPTCHA image

  • Malicious site presents target site's CAPTCHA as it's own

  • User fills out details and solves CAPTCHA

  • User's CAPTCHA-result is used to register on target site

Now this is a known method, but there is an obvious way of deterring this sort of thing that for some reason doesn't seem to be widespread: To embed something that indicates the origin of the CAPTCHA onto the image. If the users see an URL and a logo belonging to a different web site than they are signing up on, they would naturally grow suspicious, and as this method mostly lends itself to targeting specific websites (and these would be bigger targets), the target will likely be big enough to be recognizable to the average person, which makes all the more suspicious.