[NEWS] Yahoo's Visual Captchas a.k.a. Word Verification Systems Flawed
From: SecuriTeam (support_at_securiteam.com)
Date: 06/14/04
- Previous message: SecuriTeam: "[NEWS] VICE Emulator Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Jun 2004 11:15:13 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Yahoo's Visual Captchas a.k.a. Word Verification Systems Flawed
------------------------------------------------------------------------
SUMMARY
A <http://en.wikipedia.org/wiki/Captcha> captcha (an acronym for
"completely automated public Turing test to tell computers and humans
apart") is a type of challenge-response test used in computing to
determine whether or not the user is human. One such test is utilized by
Yahoo to prevent SPAMers from creating accounts for the sole purpose of
sending through Yahoo SPAM. The system used by Yahoo has been found to
contain a flaw that would allow a SPAMer to solve this Turing test once,
and utilize the solution for any future requests for new accounts he does.
DETAILS
Whilst Tom tried to write an OCR program to solve visual captchas or "word
verification" tests as they are called by online services, Tom noticed
that with Yahoo the online forms which the captchas were trying to protect
from bots could be submitted just by solving one image and changing the
".SecData" POST variable to the image name without it's extension. This
means of course that a bot would not need to solve the captcha, which is
quite a challenge at present.
Example:
This means that solving just this test:
<INPUT type="hidden" name=".SecData" value="akasdmfhugfcvwenecjeeve--">
And then submitting it to any future request done to Yahoo would bypass
the problem posed by the Word Verification System used.
Vendor status:
Tom contacted Yahoo about this issue and has received no reply. At the
moment he doesn't have an idea of the scale of the problem of mass account
holding so he is not sure if this warrants "a fix". The problem must have
been serious enough to warrant measures to be taken against it. Yahoo
cannot be the only website using this technology, so what other sites
could be vulnerable? Online E-mail providers, Banks, Shops?
ADDITIONAL INFORMATION
The information has been provided by <mailto:keetch_tw@hotmail.com> Tom
K.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] VICE Emulator Format String Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
