Abstract

reCAPTCHA and other CAPTCHA service providers validate millions of CAPTCHAs each day and protect thousands of websites against the intertube bots. A secure CAPTCHA generation and validation ecosystem forms the basis of the mutual trust model and large scale damage can happen if any component of this ecosystem is compromised.

The presentation explains third party CAPTCHA provider integration and explains vulnerabilities that affect almost every CAPTCHA provider including reCAPTCHA. These vulnerabilities can be exploited to completely bypass the protection offered by CAPTCHA providers. A new signature based tool clipcaptcha will be introduced and released that can be used to exploit these vulnerablities to bypass CAPTHCA provider protection. clipcaptcha’s operational modes will be demonstrated. The operational modes include the following three mondes among others:

Avalanche Mode: All CAPTCHA validation requests are approved. Stealth Mode: Only attacker provided CAPTCHAs are approved. DoS Mode: All CAPTCHA validation requests are denied. Demonstrations will explain these modes along with live CAPTCHA provider bypass on the test server.