Re: [PHP] ASCII Captcha

This is called the "Relay Attack" and is not a crack.

Cheers,
Rob.



On Fri, 2008-08-29 at 23:57 -0400, Eric Gorr wrote:
p.s. I cannot claim credit for this piece of info and since you will
reject out of hand anything I might say, I am quoting it
directly....but thought you might be interested in learning about just
how easily captcha's can be cracked.

-----
To whoever said you could hire a programmer for $5/hour to break
CAPTCHAs, spammers have demonstrated a cheaper way to get someone to
do the dirty work for them. And it can work for just about any CAPTCHA
in existence because it uses the one things CAPTCHAs depends on:
actual human intervention.

All you need is a porn server or something else decidedly tempting.

When the unsuspecting visitor makes a request for free stuff, the
server can then make an attempt to break a CAPTCHA. It makes the
attempt innocuously like any ordinary web client, but it downloads the
necessary CAPTCHA and data locally (so no offsite addressing)…and then
passes it along to the user, challenging him/her to solve the CAPTCHA
in order to obtain the goods.

The user solves the CAPTCHA, the web server passes along the results.
If the CAPTCHA is passed, the user gets the reward (so does the
server, though).

It’s a human proxy, and the actual attempt can be made to look exactly
like any ordinary person making the attempt, so there’s no way for the
CAPTCHA to distinguish between this and a real attempt. It would be
only moderately difficult to implement the proxy but mostly automatic
once implemented.
-----


Simple google searches can come up with similar statements from
apparently credible sources, whose veracity I have no reason to doubt,
about people being hired to sit there and break captcha's if it is
important enough the evil doer to do so.


--
http://www.interjinn.com
Application and Templating Framework for PHP

.

Quantcast