Re: Defeating audio captcha systems

From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
To: Jos?e M. Palazon Romero <josem.palazon@gmail.com>
Cc: bugtraq@securityfocus.com
Subject: Re: Defeating audio captcha systems
Date:


Dear Jos?e M. Palazon Romero,

This   approach   is   not   new,   it   was   demonstrated  by  ShAnKaR
<shankar_(at)_shankar.name> against Simple Machines Forum 1.1.2 in June,
2007.

See:
http://securityvulns.ru/Rdocument271.html (in Russian)
http://securityvulns.ru/files/capcha.pl (Exploit code)
http://www.securityfocus.com/archive/1/archive/1/471641/100/0/threaded

--Tuesday, January 15, 2008, 9:01:03 AM, you wrote to bugtraq@securityfocus.com:


JeMPR> Hi all,

JeMPR> Some days ago I wrote an advisory which demonstrates how the
Peter's
JeMPR> Math Antispam Spinoff plugin for wordpress
JeMPR> (http://www.theblog.ca/math-anti-spam) can be defeated by its
audio file.

JeMPR> It's hard to summarize, you better read the advisory, but in a
very
JeMPR> small nutshell, the flaw its about not using any kind of
distortion on
JeMPR> the audio clip, which makes it easily identificable by a script.

JeMPR> Here is the link:

JeMPR> http://docs.google.com/View?docid=df36cd52_19xzmkwqcg

JeMPR> I'm sure you will find the advisory inspirational, as the
approach is
JeMPR> applicable to many other capthas, and anti-script methods.

JeMPR> Regards

JeMPR> Jose
 


-- 
~/ZARAZA http://securityvulns.com/
  ...       . ()





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.