Captcha Generation - the new method



  • This has got to be one of the most, ahem...creative, solutions I have seen for captcha generation: 

    https://account.uk.miva.com/Advertiser/Account/login.asp

    View source, and search for "SecureText" to find the section of the HTML that contains the captcha "image."  Then scroll to the right.  Keep scrolling...keep scrolling...

    Brillant!

    I'm just surprised they're not using floated divs or an enterprisey java applet.



  • OMG.

     
    You can also get a hint if you try to select the numbers.

     
    Inaccessibility ho!
     



  • It's only, what, 130 bytes per pixel?
    And re-rendering to a single bitmap before passing it on to be OCR'd wouldn't take much.

    On the other hand it's actually kinda neat right now, because it's about the most readable captcha I've ever seen (no distortion at all), and there's likely not a single system on the planet that will crack it automatically as is. 
     



  • @jcoehoorn said:

    It's only, what, 130 bytes per pixel?
    And re-rendering to a single bitmap before passing it on to be OCR'd wouldn't take much.

    On the other hand it's actually kinda neat right now, because it's about the most readable captcha I've ever seen (no distortion at all), and there's likely not a single system on the planet that will crack it automatically as is. 
     

     

    I actually don't quite see how this is a WTF...

    Though a bot that can take screenshots and run it though image scanner will solve the issue :) 



  • @jcoehoorn said:

    there's likely not a single system on the planet that will crack it automatically as is.  

    It wouldn't be hard to write one.  Passing the "Has someone already cracked it?" test is not sufficient for good captcha.  It's far more important to pass the "Would it be easy to crack?" test.

    If someone with a valuable service (e.g. google) introduced this captcha, it would be compromised the very same day.


     



  • While not a good captcha method I still have to say it is neat.

    I feel like writing a table driven image processor now!



  • @Siloria said:

    While not a good captcha method I still have to say it is neat.

    I feel like writing a table driven image processor now!


    Here, have a PHP script I wrote up:


    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
    <head>
    <title>Image thing</title>
    </head>

    <body>
    <?php
    // Show an upload box.
    if (empty($_FILES['image']['tmp_name']) || $_FILES['image']['tmp_name'] == '')
    {
    ?>
    <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post" enctype="multipart/form-data">
    <label>Image: <input type="file" name="image" /></label><br />
    <input type="submit" value="Upload" />
    </form>
    <?php
    }
    else
    {
    // Determine the file type.
    switch(strrchr($_FILES['image']['name'], '.'))
    {
    case 
    '.png':
    $function 'imagecreatefrompng';
    break;
    case 
    '.jpeg':
    case 
    '.jpg':
    $function 'imagecreatefromjpeg';
    break;
    case 
    '.gif':
    $function 'imagecreatefromgif';
    break;
    default:
    die(
    'Invalid image type.');
    }

    // Load the image.
    $im $function($_FILES['image']['tmp_name']);
    $width imagesx($im);
    $height imagesy($im);

    // Start our table.
    echo '
    <table cellpadding="0" cellspacing="0" width="'
    $width'" height="'$height'" border="0">';
    // Loop through each pixel.
    for ($y 0$y $height$y++)
    {
    echo 
    '
    <tr width="'
    $width'">';

    for (
    $x 0$x $width$x++)
    {
    // Get the colour of this pixel.
    // http://au2.php.net/manual/en/function.imagecolorat.php
    $colour_index imagecolorat($im$x$y);
    $colours imagecolorsforindex($im$colour_index);
    $r $colours['red'];
    $g $colours['green'];
    $b $colours['blue'];
    // A HTML colour code.
    $colour_code sprintf('%02X%02X%02X'$r$g$b);

    // Output this pixel.
    echo '
    <td width="1" height="1" bgcolor="'
    $colour_code'"><img src="b.gif" /></td>';
    }

    echo 
    '
    </tr>'
    ;
    }

    }
    ?>


    </body>
    </html>

    Save https://account.uk.miva.com//images/blankgif.gif as b.gif

    Probably doesn't work too well, I didn't test it extensively :P



  • Awsome! Reminds me of the BASIC days :D



  • Another fun trick is to turn off the page styles (View -> Page Style -> No Style in Firefox). You'll get a much bigger version of that contains many broken images. Or at least I did.



  • @chishm said:

    Another fun trick is to turn off the page styles (View -> Page Style -> No Style in Firefox). You'll get a much bigger version of that contains many broken images. Or at least I did.

    Very interesting... If I turn off styles in Opera (View → Style → User Mode), it dissapears.



  • @merreborn said:

    It wouldn't be hard to write one.  Passing the "Has someone already cracked it?" test is not sufficient for good captcha.  It's far more important to pass the "Would it be easy to crack?" test.

    I'd like to disagree. If you have a system where spoofed access is really critical, you wouldn't rely on any sort of captcha but use a secure authentication mechanism.
    I'd say, in 90% of the (non WTF) cases, captchas are used to make the life harder for some kind of spam bot. And for the writers of those bots it's actually NOT important to break a single site.
    If they want Google and the like to pick up their spam, they have to spread it over as many sites as possible. Hence, they have to break the captchas of as many different sites as possible.
    The more exotic and proprietary your captcha algorithm is, the less attractive your site becomes for a spammer: Even if your scheme is easy to crack: Why should he add the special cracking algorithm for your scheme to his bot if all he gains with that is a single site? Instead, he'll just go for the ten other sites that use the generic "disorted image" algorithm because he cracked that one already. It's all a matter of the right price.

    As for the captcha algorithm here, I think it's inspired by a blog post that was linked here some time ago. I like how he even implemented the "advanced" version and "compresses" pixels of the same color that lie next to each other into one cell. 



  • Google Checkout's logo is (or used to be) in the form of a table of pixels. It struck me as a bit RightClickRevenue-ish at the time.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.