On Thursday 01 February 2007 01:52, Andreas Beck wrote: > No, but it can be easily defeated by changing the placement/appearance > of the number(s) as well as that of the noise or by keeping both > constant over reloads. > > What is exploited here, is the fact that noise and payload behave > differently on reload. This allows to separate them. > Exactly, this is the point. > Please note, that averaging is a very simple technique to do that. > Depending on the type of captcha, one can use methods that converge > much more quickly. Simplest one would be to use the simple majority > of pixel values or the median value, if slight global noise (e.g. from > compression artefacts) is expected. > > This should yield almost perfect results with as low as 3 different > images. Adding a tiny bit of spatial filtering might help as well. > My point of the initial article was NOT to demonstrate a new or especially clever way to defeat a captcha. This would not really be something for bugtraq as most of the captchas can be defeated by sophisticated cutting-edge computer recognision software (see http://www.captcha.net/). The main idea is to show how a design flaw (repeatedly presenting the same information with different obfuscation) can be used to compromise a captcha without the need for an especially clever algorithm. So, it's not about how to defeat the captcha by recognizing the text but how to defeat it by exploiting a design flaw. And the good thing is: This design flaw can easily be avoided. However, one has to be aware of it. Regards, Wolfgang Wieser Contact: wwieser (at) gmx -dot- de PLEASE do not CC me when posting to the list; I am subscribed.
