Yahoo’s CAPTCHA Decoder Allows Automated E-mail Registration
The CAPTCHA security system used to block spam primarily by Yahoo! along with other service providers such as Microsoft and Google may be at risk, according to Russian Security Researcher John Wane. TMCnet published this in news on January 18, 2008.
CAPTCHA or 'Completely Automated Public Turing test to tell Computers and Human Apart' system is used in automated systems to not allow registering of e-mail accounts on the Web, nor to file comment sections in blogs with guessing passwords and spam. The system provides a sequence of characters to users to decipher them manually but not with image-identifying software.
Various software to crack CAPTCHA have already been built largely keeping the motive of spammers in mind.
But Wane has released software that is capable of beating CAPTCHA system that Yahoo! has adopted to stop registration of its free e-mail accounts. Wane posted a code that decodes the system accurately to the rate of 35%.
Incidentally, Wane said that it is not essential to attain high rates of accuracy while developing software for automated recognition. An accuracy level of 15% is sufficient when the attacker manages to make 100,000 trials per day. spammers could use the decoder to register e-mail accounts on Yahoo! for sending spam or to crack anti-spam systems.
In 2007, spammers exploited a clothes stripper as a lure to trick users into aiding the criminal intentions in cracking CAPTCHA codes. The lure was a sequence of photographs that showed Melissa, not the 1999 Melissa worm, with progressively throwing off clothes and showing more bare skin every time the spam recipient correctly keys in the characters into the accompanying codes for CAPTCHA.
Also, according to Research Company Forrester, spammers today are applying more and more artificial intelligence tricks to deliver their junk to e-mail users. Such spam can be prevented only if vendors and their clients use technology to give up the existing filtering approach.
Related article: Yahoo Gets “Yam”med by a Worm
» SPAMfighter News - 30-01-2008