CAPTCHA Meltdown

It seems like it was the just the other day that I was writing about how CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) was quickly becoming completely useless for Web security. Actually, it was just the other day-two days ago-but I was wrong. CAPTCHA is already completely useless.

I found the proof of this in the Web security company WebSense's Sumeet Prasad, a threat analyst, latest blog. There, he declared that there's now a botnet-based program that can beat Google's Blogger CAPTCHA.

The program's not terribly good at breaking Blogger's CAPTCHA. WebSense estimates it has an 8% to 13% success rate and it takes about 35-seconds per attempt. But, with hundreds to thousands of zombied home PCs doing nothing but trying to create fake blogs, the program doesn't have to be very good at it.

Once it's cracked a Blogger session, the program then calls on other programs to set up a spam page. Or, and this is where they get really sneaky, the Blogger page itself can contain nothing harmful but it uses JavaScript to send your browser to a site that is filled with spam or malware. Although Prasad didn't mention it, I can easily imagine a bogus Blogger page that sends your PC to a malware-spewing site that will try to infect your system with the Blogger CAPTCHA software. In this way, the Blogger CAPTHCHA botnet can keep growing and growing and… well you get the idea.

I suggested last time that the Web companies might want to start replacing CAPTCHA with image-based authentication systems like ALIPR (Automatic Linguistic Indexing of Pictures) IMAGINATION. There are other security programs that try similar approaches like indentiPIC, which has people identify three images from a pulldown list. Still other security companies, like Securimage, are trying to give new life to CAPTCHA by hiding alphanumeric characters in more complex images.

Many people told me that the image-based systems are just too hard for ordinary people to use, never-mind people with vision impairments. They're right.

However, any CAPTCHA system is already nothing but a frustrating annoyance to the blind or visually impaired. As far as I can tell, there has been no ADA (Americans with Disabilities Act) lawsuits filed against a company using CAPTCHA. If it wasn't for the fact that CAPTCHA is already busted as a security measure, and therefore should be on its way out, I wouldn't be surprised to see an ADA class-action suit against a company using CAPTCHA.

Still, we're left with the problem of what do we do to secure free Web services and e-mail sites without CAPTCHA. The big companies-Google, Microsoft, and Yahoo-that rely the most on CAPTCHA for security don't show any signs of moving to another, better authentication system.

I sometimes wonder what it's going to take to get the corporations to replace CAPTCHA. Blogger being overwhelmed by spam sites? People blocking all Hotmail and Yahoo Mail e-mail from their desktops?

It's going to happen you know. The smart crackers and spammers like to keep the Internet and PCs just poisoned enough for them to continue their work of phishing for your personal information and spreading spam to every e-mail box in creation. The dumb ones, and oh are there some dumb ones out there, will overplay their hand.

Thanks to those dopes, we probably will see a blog site CAPTCHA-breaker that doesn't know when to stop. Can you see a day when people don't look at blogs for the same reason they no longer read Usenet, because the ratio of garbage to useful information is so high that it's not worth the trouble? I can.

I really hope that security companies, and their big online site customers, can implement a solution before that day. Unfortunately, I had a sinking feeling that it going to take a disaster before CAPTCHA is ripped out and replaced with something better.

FREE Computerworld Insider Guide: Five IT certifications that won’t break you
Join the discussion
Be the first to comment on this article. Our Commenting Policies