Security Information Vulnerability Research Security Blog

HotCaptcha: Wrong! Die, bot, die.

July 16th, 2006 by , Filed under: Commentary, Funny, Spam, Web

“i met my wife on your captcha!!!” — steve, from new york

this is hillarious. go prove you are a red-blooded male or female rather than a green blooded vulcan (of course, i do mean bot). hot captcha, at your service.

http://www.hotcaptcha.com/

and, well, it works.

the pics seem to repeat themselves though, so i suspect they can be beaten rather easily. they use hotornot though, so it should be nothing less than brilliant!

this is an excuse to put up another picture of a hot girl from hot or not:

gadi evron,
ge@beyondsecurity.com.

Share
  • achtung

    and there we go, ads pay you with this kind of posts, really weird world.

  • http://guh.nu drew

    ha ha. amusing idea.

    as sunshine points out, the dataset in this is the attackable one. it would be rather trivial to troll the hot-or-not database using their api, collect all the images and their ratings, and then match the capthcas presented with images in your database.

    perhaps distorting the images, similar to word-based captchas, would add another level of complexity.

    and i thought i was the only one addicted to mashups… http://mapwow.com

  • Thor Larholm

    Thanks for sharing it, I just broke it :-P

    Whenever you ask http://hotcaptcha.com/captcha for a new set of images, that group of images are assigned a unique ID in the hotcaptcha_id argument. As an example, my ID was 5089e1bec0d556c49465008dfb5e9a03a3f6dc3a and the 3 hot people were top center, middle center and middle right. Despite that I deliberately chose the wrong people in my first attempt I could simply change the updated ID back to my old ID and try once more – and once more, until I got it right.

    By reusing the hotcaptcha_id, you (you being a bot) can send additional requests and simply exhaust all possible combinations until you get a correct response. 9 to the power of 3 equals a maximum of 729 HTTP requests to break hotcaptcha.

    To protect against combinatorial exhaustion the server should not allow multiple requests for each unique hotcaptcha_id. However, given the limited dataset available through the API of hotornot.com (the amount of images allowed to be queried) an attacker can quickly compile a dictionary of all possible hotcaptcha_id combinations and break any given hotcaptcha_id in the first request.

  • sunshine

    Yep, just MD5 them. :P
    The current implementation isn’t much.

  • http://www.BeyondSecurity.com aviram

    Nice one Thor :-)

  • http://www.BeyondSecurity.com Lev

    Idea is great, and its easy to solve all the issues you guys pointed :)

    To prevent image recognision by signature for quite small image db, its possible to use some mix of random “effects” that will make images “random”

    IDs should be generated on the fly.

  • sunshine

    I guess that for a short-term solution just adding one random pixel somewhere in the image should work.

  • janes

    That chick is… hot. I want this captcha all day long

  • su

    add me: luvly_les@hot

  • Share







  • Categories


Security RSS Subscribe