Sunday, April 20, 2008

Kitten Auth Busted!

last week /. rocked to the news that bots had been able to get significant success rates cracking the CAPTCHA's that protect gmail & livemail. People half-seriously joked about replacing text-based CAPTCHA's with kitten-auth or hot-or-not-auth, despite the high success rate of even a random bot attack.

now behold! Kitten Auth Busted! We only reveal this video of a live Kitten Auth CAPTCHA being broken now that the author of Kitten Auth has been notified of the vulnerability and the hole plugged. Previously there was no variation in the hash of the same image between multiple displays, so if a human being taught the bot to recognise different animals, it could then recognise and correctly categorise the cute furry animals to get past kitten-auth and spam the hapless creator with viagra ads & offers of penis enlargement.

The vuln has now been fixed with every image containing a random number embedded, which makes it impossible to recognise an image by it's hash alone.

The exploit was written in Javascript and run from inside GreaseMonkey, but not by me, by the anonymous uber-h4xx0r, captain meat...

http://potato.codefreaks.com.au/flash/KittenAuthBusted.swf.html
(note the video has been sped up, the first section is training the bot, after which it begins spamming constantly until disabled)

4 comments:

OliWarner said...

Yeah library size has always been pointed out as a weakness - especially as the library I've been using for the last two years has only been 150 images. It's easy to learn and sort.

So I ran it through a tiny little script to alter the content a little. I'm not too happy wanging text all over the images, but it's okay, I guess. I'm going to try a few more effects that are a little more subtle.

Captain Meat said...

Better bring on the next fix!

http://potato.codefreaks.com.au/flash/KittenAuth_2.swf.html

(it's still purely greasemonkey).

Edenist said...

have you thought about running the images through some kind of filter to blur them a little?
There should be a free library somewhere that could add enough noise to the image to randomly disturb the hash but not be too visible...

captain meat said...

The more filters the better. My script is lame compared to some of the technology available to crack this stuff.

What if the attacker processes the image with extreme contrast so then you are left with just the darkest and lightest features on the image? This negates the effect of any noise or colour changes. In fact, I reckon I could code that in JavaScript.

Some image warpage so there is a random ripple or two in the image could help combat this.

Rotation would help big time, as long as you can't see the edges of the square (this would give you 4 options to try to find the correct orientation). Rotation on it's own could be overcome by plotting vectors between the main features on the image, but this attack would be broken by the warpage. Finally random zoomage and offset should make things just that little bit harder. A KittenAuth system that implement all that should at least deter the script kiddies.