Jump to content
Nytro

The No CAPTCHA problem

By Nytro, in Securitate web

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted (edited)

The No CAPTCHA problem

When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what?

Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration page successfully using No CAPTCHA.

Screen%2BShot%2B2014-12-04%2Bat%2B5.48.17%2BPM.png

Now let's open it in incognito tab... Wait, annoying CAPTCHA again? But i'm a human!

Screen%2BShot%2B2014-12-04%2Bat%2B6.00.45%2BPM.png

So what Google is trying to sell us as a comprehensive bot detecting algorithm is simply a whitelist based on your previous online behavior, CAPTCHAs you solved. Essentially - your cookies. Under the hood they replaced challenge/response pairs with token "g-recaptcha-response". Good guys get it "for free", bad guys still have to solve a challenge.

Does it make bot's job harder? No at all. The legacy flow is still available and old OCR bots can keep recognizing.

But what about new "find a similar image" challenges? Bots can't do that!

Screen%2BShot%2B2014-12-04%2Bat%2B6.16.57%2BPM.png

As long as $1 per hour is ok for many people in 3rd world, bots won't need to solve new challenges. No matter how complex they are, bots simply need to get the JS code of challenge, show it to another human being (working for cheap or just a visitor on popular websites) and use the answer that human provided.

The thing is No CAPTCHA actually introduces a new weakness!

Abusing clickjacking we can make the user (a good guy) generate g-recaptcha-response for us - make a click (demo bot for wordpress). Then we can use this g-recaptcha-response to make a valid request to the victim (from our server or from user's browser).

Screen%2BShot%2B2014-12-04%2Bat%2B6.53.57%2BPM.png

It's pretty much a serious weakness of new reCAPTCHA - instead of making everyone recognize those images we can make a bunch of good "trustworthy" users generate g-recaptcha-response-s for us. Bot's job just got easier!

You're probably surprised, how can we use 3rd party data-sitekey on our website?

Screen%2BShot%2B2014-12-04%2Bat%2B7.10.07%2BPM.png

Don't be - the Referrer-based protection was pretty easy to bypass with <meta name="referrer" content="never">.

P.S. Many developers still think you need to wait a while to get a new challenge.

I've used them in the past, accuracy is about 80% and response time about 10 seconds per attempt. Still too slow for some attacks.

— Stephen de Vries (@stephendv)

In fact you can prepare as many challenges as you want and then start spaming later. It's another reCAPTCHA weakness that will never be fixed.

Author: Egor Homakov on 3:52 AM

Sursa: Egor Homakov: The No CAPTCHA problem

Edited by Nytro

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...