Thursday, May 29, 2014
Wednesday, July 24, 2013
Monday, April 30, 2012
Several months ago I began to see several sites using Microsoft's ASIRRA captchas which use Petfinder.com pictures to determine if the user is a human. It works by showing the user a set of images of dogs and cats, the user simply clicks the cats, and can continue on. When I first saw this I thought it was a fairly decent way to do captchas, rather than showing words that nobody can read. I also was looking at several sub-par implementations that were easy to bypass with a little code. Take a look at this captcha code: (extra code removed for clarity)
<img src="../images/securityimages/3c.gif" width="38" /> <img src="../images/securityimages/3c.gif" width="38" />
<img src="../images/securityimages/3e.gif" width="38" />
<img src="../images/securityimages/3k.gif" width="38" />
<img src="../images/securityimages/3d.gif" width="38" />
Notice anything? the img src for the first image you are to match is the same image src as the answer. This captcha is part of a fairly popular PHP site script, that relies heavily on human valid interaction. Now, let's see a sample from ASIRRA's example on (again extra code removed for clarity)
< id="asirra_img0" src="//s3.amazonaws.com/dog.asirra.com/PhotoDB/1cc9ee4a2a028af3efad8b49e37fcd48.jpg"> < id="asirra_img1" src="//s3.amazonaws.com/dog.asirra.com/PhotoDB/4f6e5007d037514c7fa18968359a22cb.jpg">
One thing I noticed, and the biggest hole in this whole idea is that the image url's will respond with the image after consecutive requests. In other words, you will get the same image every time you request the image's url from the captcha. This means we can send off the url to get processed on other threads, and not have to worry that the url was tied to a user session. I understand why Microsoft chose to do it this way, they were trying to combat some scaling issues, as mentioned on the Microsoft Research page. Unfortunately, this opens up several vulnerabilities that other captcha solutions overcome by hashing the image with the session identifier. Therefore, if another user or process asks for the image, they wont get the same one, or nothing is returned. Ok, so matching img src's is out, so what can a slightly skilled hacker do to try and start chipping away at this captcha and get it solved within a reasonable amount of time? To the Googles! With Google Image API or even with selenium or something like phantomjs we can request images that are "similiar" in appearance to our images in question. Take a look :
Vongershan Rottweilers is the first result, not bad, also a Chihuahua at the bottom with the word Chihuahua in the rollover description. Now you say well how do I know if these images and descriptions describe dogs or cats. Well in case you have been living under a rock, you can get a fairly complete list of top dog "words" from a little service from Google called "Keyword Tool", export, save to a database, more the merrier. Take in all text from the descriptions and you can compare each word against a memcached word list of dogs and cats. Significantly less effort than trying to hash all 3 million pet finder pets and scraping the site. Count up all the Dog images returned, and all the cat images returned (google is good but not that good) and make your own assumptions (or simple AI) to have your program pick cat or dog.
Fortunately, if your program tells you that there should be 2 cats but you know there is just one, there is always a "Reload" button to conveniently get a new set of images, and a new timer. If your numbers are a landslide to either cat or dog, you might also win some leverage by caching that result as I have seen several sites return the same dog several times (the images get cached by browser, and occasionally I would notice it only requesting 2 images of a 4 image set)
It may be significantly harder though to crack the example of "Select all the Cats" and correctly guessing all the images it needs. However, I believe each site must be able to customize how many total images there are, and how many cats there are to click. If you ARE using this captcha on your site I would strongly suggest choosing more than 8 total images with more than one cat. If you can also choose a timelimit, choose a fairly quick one before the form invalidates (for an average human user). With more time to play with, hackers can easily even just send the images to a human farm of workers to decide. This can prove lucrative even.
I think it would be entirely possible to "crack" Microsoft's ASIRRA with some very simple, and scalable (with proxies), code. If there also is money to be made behind the captchas, then as they say "Where there is a will, there is a way"
Maybe I will put together some proof of concept videos of a solver in action some time. Anyone interested in seeing it?
ps. Help out a pet in need Petfinder.com !