Posted by Keith McMillan

January 30, 2008 | 1 Comment

I wrote earlier in the week about the possible use of something like CAPTCHA to combat Cross-site Request Forgery attacks, and as if by magic, we see the news breaking that CAPTCHA has apparently been cracked by a team of Russian hackers. For a quick recap, CAPTCHA generates images consisting of letters and numbers, then asks the (presumably human) user of a site to enter them in order to verify that it’s a human using the service, rather than a machine.

The argument I made was that you could use something like CAPTCHA to try to verify that requests for certain services (such as check-out, or changing user profile information) was requested by a real user, rather than a javascript program pretending to be human.

The wily Russian(s) in question claim the ability to decode CAPTCHA about 35% of the time, which is probably plenty for most sites. This would probably severely hamper, if not eliminate the usefulness of CAPTCHA as part of the CSRF solution.

Back to the drawing board…


RSS feed | Trackback URI

1 Comment »

2008-04-30 20:23:02

[…] was cracked some months ago (as I’ve previously mentioned) and one by one, the various implementations have fallen prey to the bots sending you […]

Name (required)
E-mail (required - never shown publicly)
Your Comment (smaller size | larger size)
You may use <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> in your comment.