12 Jan 2015
“CAPTCHA” is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”. That’s a bit of a mouthful and for those of us who don’t know what a “Turing test” is – still a bit confusing. It refers to the test proposed by Alan Turing in 1950 that attempted to determine if a computer could “think”. Turing quickly realized that the term “think”, in this context, was a bit ambiguous so he refined the focus and further elaborated: the test aimed to evaluate how well a computer could emulate or exhibit behaviour indistinguishable from that of a human user by having a human judge engage in conversation with both a human participant and a computer participant. But enough history! What are CAPTCHA’s doing today and why are they so hard?
Well, as the name CAPTCHA implies, the general principle behind the “Turing test” has been adopted into a more automated approach that is being completed almost 300,000,000 times per day. That is a LOT of testing. But why? Protection from malicious software is obviously of high importance for those responsible for online services so (unfortunately) the twisty and hard to read CAPTCHAs were initially chosen for the task. For the last few years, it’s been the only way to engage users in the “Turing test”.
However, as the sophistication of the recognition software increased, so too did the difficulty of these distorted text/image CAPTCHAs. This revealed a fundamental flaw in the traditional text/image method: the only way to make the test harder for bots was to make the text/images warped and distorted to the point where even humans could barely understand what they were being presented with.
This is why FunCaptcha exists: we realized that for CAPTCHAs to remain a relevant and effective web security asset, they needed innovation or the problem would only get worse. Considering the necessity, annoyance and sheer volume of traditional CAPTCHAs, you can see why we’re so focused on reinvigorating the process with something that’s fun and engaging – hence, FunCaptcha was born. Give us a try, if you haven’t already.
At the start of December, a rather large update to the traditional reCAPTCHA technology was announced, dubbed the “No CAPTCHA reCAPTCHA” experience. For many, it came as a pleasant surprise – no more squiggly letters and hard-to-read numbers and images? What has been a frustrating experience for millions of internet users the world over looked to be getting a big injection of convenience.
The old ReCAPTCHA.
But when the mechanics behind the “new” technology were broken down via reverse engineering, many developers asserted that this newly developed convenience is merely the addition of a “whitelist”. To put it simply: user’s past behavior and previous CAPTCHA solves are recorded in their cookies, which are then detected by future reCAPTCHA challenges. Those that are seen as being genuine users get the “No CAPTCHA experience”, while those that aren’t get reverted back to the usual distorted text reCAPTCHA.
The new ReCAPTCHA.
The existing mechanics (and thus, flaws) behind the reCAPTCHA system are still there but with the introduction of this cookie “whitelist”, perhaps reCAPTCHA could be made easier for users, without simultaneously making it easier for bots. However – this looks to have backfired because of two main issues.
Easier for humans, easier for bots
The manner by which reCAPTCHA uses their new whitelist system has actually made it more easily exploited for no gain, according to www.sakurity.com consultant, Egor Homakov. In a blog post from December 4th, he eloquently sums up his findings (namely the whitelist and the consequences) but we wanted to break his findings down further and relate them to readers who may not have the experience necessary to fully grasp the conclusions Egor is coming to.
His first main concern is how relying on cookies for extra convenience doesn’t add any extra security at all. If the sole goal was to simply make it easier for humans without amplifying the existing security, then technically, it was a success. Egor declares this is important because the “No CAPTCHA reCAPTCHA Experience” doesn’t make it harder for bots – just easier for humans.
This is a problem, Egor says, due to the way the whitelist is implemented, allowing exploitation because “the legacy flow is still available and old OCR bots can keep recognizing” the old CAPTCHA.
For those making alternate CAPTCHAs, this was an interesting point of difference raised by Egor. For example, the FunCaptcha uses an approach opposite to how reCAPTCHA now does it. Instead of making it easier after repeated completions, FunCaptcha becomes harder after repeated mistakes. This is for two reasons:
1) To make a CAPTCHA that is inherently fast and easy for humans even easier would compromise its security against bots for no real gain.
2) A major vulnerability for visual CAPTCHAs with a small number of discrete answers is a brute-force attack by a bot, which performs automated guessing over and over until it breaks through. By tracking the history of the IP and making the CAPTCHA’s string of challenges longer after each failed attempt, a brute-force attack quickly becomes impractical.
Furthermore, many developers are puzzled by these changes – as explained by Egor’s findings, by trying to make the reCAPTCHA process more convenient, the latest changes have arguably compromised its security.
Removing Challenge/Response has removed the challenge – for bots
Egor further goes on to explain that by introducing the cookie whitelist as a replacement to the traditional “challenge/response” method, the service has become even more vulnerable to malicious attack via a process called “clickjacking”. If a valid cookie whitelist has been accumulated (known as “g-recaptcha-response”), then the user gets the “free pass”. How is this abused? Simply click the video below to get a look at the exploit in action.
Keep in mind: we are NOT providing the technical step-by-step recipe on HOW to do this – simply the result of the exploit being implemented.
To reword Egor’s assertion and explain the above video as simply as possible: the person wanting to spam a certain website needs to obtain a valid “g-recaptcha-response” that matches the required credentials of the targeted website via an unsuspecting user. This is done by creating a fake variant of the target website’s reCAPTCHA, having an unsuspected user complete this fake variant and then using the generated “g-recaptcha-response” to give bots access to the original target’s website through the now breakable reCAPTCHA. This is made possible due to the “g-recaptcha-response” token being made available before submission to the CAPTCHA.
SO WHAT DOES THIS ALL MEAN?
The conclusion that can be drawn from Egor’s findings? While the convenience of reCAPTCHA has somewhat increased for some users, so has the vulnerability. He proposes that the implementation of the cookie whitelist has not only opened the service to exploitation in and of itself, it has also opened a gateway into the existing technology by replacing challenge/response with “g-captcha-response” token.
CAPTCHA innovation has started to occur around the globe so there certainly are more options now. For developers of secure alternative types of CAPTCHA, the goal is to provide a method that, at its core, is already so quickly solvable that it makes room for the challenge to become lengthier in response to brute-force attacks, while still staying reasonable for humans accidentally caught in the net. Forcing it to become trivially solvable after building a whitelist of “human” behavior would be both pointless and potentially damaging – resulting in the position that Egor believes reCAPTCHA now finds itself in.
04 Jan 2015
It has been a big year for us here at FunCaptcha and next year looks to be even bigger! With all the milestones we’ve hit and are aiming to hit, we felt a quick recap was in order and what better way to do that than with a blog series? In this first installment, we’ll be going over some highlights of 2014 and then we’ll be outlining the direction of five future posts and their significance. To kick things off, here are some milestones we hit in 2014.
These milestones wouldn’t have been possible without the ongoing collaboration and passion shared by our ever growing client base so to them – thank-you. It’s a joy to provide peace of mind through enjoyment for you and your users and we look forward to doing so all through 2015 and beyond. But what of 2015? What’s next for FunCaptcha and our clients?
Over the coming weeks, we’ll be steadily rolling out some of the biggest upgrades yet to FunCaptcha. The five key areas will include overhauled visuals, improved speed, adding an administrator dashboard, opening up potential revenue streams for clients and even providing analytics so each of our clients can see how their individual FunCaptcha package is performing.
As each of these updates go live, so too will an accompanying blog post diving into a bit of detail to explain things like motivations behind each upgrade, what we hope to achieve with them and most importantly, how our clients (and their users!) will benefit. For those wanting some more insight into how we operate and what we’re about – you won’t get a better opportunity.
That’s all for now but stay tuned for updates as we say goodbye to 2014, hello to 2015 and most importantly – FunCaptcha 2.0.
The FunCaptcha Team
01 Dec 2014
eCards have been an incredibly useful, popular and often hilarious product since their inception in 1994. The first website ever, The Electric Postcard, went from only a dozen or so cards being sent to over 1.7 million after only one and a half years of operation. The model gained traction and various websites began to spring up, with a website called Blue Mountain Arts even being bought by Excite@Home for upwards of $780m in 1999, at the height of the “Dotcom Bubble”.
It was a pretty dark time for eCards.
Today, eCards have a wide variety of uses. From simply wishing mom a Happy Birthday, to raising awareness – and even funds – for social causes.
Yet the security concerns are still valid: the fundamental process by which an eCard is sent to users can (and is) exploited through automated software and even the manual input of random e-mails. The process usually occurs from the relevant website itself, which requires only your name, your e-mail, the e-mail you wish to send to, a delivery date and of course, the message itself. In June of this year, Symantec reported on an eCcard spam campaign that linked to a “get rich quick scheme” which even utilized a fake BBC news report in an attempt to confuse users and convince them of its legitimacy.
eCard sites need to protect their brands reputation by ensuring their users security. All it takes is for someone to receive one “dodgy” or negative eCard from a service and the experience is forever tainted. Rarely would anyone choose to open up another e-mail from an address or provider that has previously led to disastrous results. In fact they may never open another eCard again – regardless of the source.
FunCaptcha has a deep history in the eCard space, and can answer any questions that you might have on this topic.
24 Nov 2014
The Foo Fighters, in an effort to promote their upcoming “Sonic Highways” US tour have launched a campaign against ticket scalpers called #BeatTheBots, which has moved their pre-sale tickets from online to physical purchasing from a fan’s nearest box office.
Ticket scalpers have always been an issue for promoters and fans of live entertainment, but it’s the advent of online ticket sales that has allowed scalpers to take advantage of software that can bulk buy tickets for reselling. This automation allows one or two people to clog up the online ticket sales process with thousands of fake “customers” (aka Bots) to secure hundreds of tickets before any real customers can get access, meaning you and I are paying a premium for our tickets – if we can get them at all! So when we heard that the Foo Fighters had opted for a physical sales process instead of an online one, the music fan in us thought “Oh cool – that’s pretty retro!” but then the tech head in us realized “This is just wrong!”. To be clear – we love that the Foos are fighting back but just hate that they have to do it.
So, what to do? Well, the FunCaptcha team’s primary goal has always been to beat the bots but allow genuine customers through while also having fun. Traditional CAPTCHA’s are something no-one really enjoys but they’ve been a necessary evil – until now. We decided to put a quick custom FunCaptcha together for the Foo Fighters, just to give people a taste at what’s possible when they want to #BeatTheBots.
Congratulations to the Foo Fighters for taking the initiative and fighting back but we may have a better solution for them: use our service for any online ticket sales process. FunCaptcha has a >96% success rate for genuine humans while battling bots and spammers. This allows all fans the comfort and ease of purchase that online is known for, while ensuring scalper-bots get the middle finger they deserve.
Finally: we’re a bit TOO excited for them to be gracing Australian shores as part of their world tour, specifically Brisbane on Tuesday, 24th of February.