Researcher cracks Yahoo CAPTCHA software
Antispam tech is considered to be among the strongest of its kind
TechWorld.com - A security researcher has claimed that Yahoo Inc.'s system for blocking automated access to its systems -- the CAPTCHA image-recognition system -- has been effectively cracked.
CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) systems are used by Yahoo, as well as Google Inc., Microsoft Corp. and others, to stop automated systems from registering Web-based e-mail accounts, filling blog comments sections with spam and guessing passwords.
The systems typically present users with a series of characters that can be deciphered by humans, but not by image-recognition software.
Various implementations of automated CAPTCHA-cracking software have been developed, largely by spammers, but Yahoo's CAPTCHA system so far has been ranked as one of the toughest to crack.
For example, several Web sites selling CAPTCHA cracks for sites such as eBay said Yahoo's system was next to impossible to decode.
This week, however, a programmer using the pseudonym "John Wane" and claiming to be a Russian security researcher posted code for a decoder system that he said can attain an accuracy rate of about 35%.
The researcher said Yahoo had been notified about the problem but had not responded.
The decoder could be used by spammers to, for instance, register Yahoo e-mail accounts for spam purposes or to break through antispam features, the researcher said.
"It's not necessary to achieve a high degree of accuracy when designing automated recognition software," he wrote. "An accuracy of 15% is enough when attacker is able to run 100,000 tries per day."
In a statement, Yahoo said it is aware of attempts being made toward automated solutions for CAPTCHA images, and is working on improvements to the system and other defenses.
Last year, spammers used a virtual stripper as bait to dupe people into helping criminals crack CAPTCHA codes.
Security researchers warned that a series of photographs shows "Melissa" -- no relation to the 1999 worm by the same name -- with progressively fewer clothes and more skin each time the user correctly enters the characters in an accompanying CAPTCHA codes
Forrester Research Inc. said recently that spammers are increasingly using artificial intelligence tactics to get their junk delivered to e-mail users.
The booming image spam pandemic is merely the tip of the iceberg when it comes to spammers' use of AI, Forrester said.
The only way to prevent a repeat of the image spam surge as new models using AI come to light, Forrester analysts said, will be for technology vendors and their customers to abandon the current filtering-heavy approach and instead battle the roots of the problem.
Related BlogSteven J. Vaughan-Nichols: Can CAPTCHA be saved?
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts