Filed under: Business, Web services, Google
Gmail CAPTCHA system cracked by spammers
The end is nigh.Days after the Windows Live Mail CAPTCHA system was cracked by spammers, reports state that the Gmail CAPTCHA system has fallen as well.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Ever signed up for an email or forum account, and been required to enter in a group of characters? That's a CAPTCHA system.
Folks are calling this hack the most sophisticated they have seen to date. Whereas cracking Windows Live Mail CAPTCHA required one compromised host, cracking Gmail took the combined efforts of two hosts. And because of Gmail's more sophisticated CAPTCHA system, only one in five breaking requests succeed.
While one in five doesn't sound like much, keep in mind that Spambots are constantly working at registering hundreds of email addresses at a time, 24/7. These Spambots can't be bargained with. They can't be reasoned with. They don't feel pity, or remorse, or fear. And they absolutely will not stop, ever, until you are dead.
Oh, wait, that's another bot we're thinking of...
So for all the spammer's effort, what are they getting in return?
- They gain access to Google's wide portfolio of services
- They gain an address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defenses.
- Gmail also has the benefit of being free to use.
- Because Gmail has millions of users, it makes the spammers harder to track.
[via ars technica]
Get a WordPress.com Blog
With Halloween fast approaching, it's a great time to get in some practice defending your territory against zombies. In Graveyard Shift, you take aim at zombies and other creepy-crawlies, blasting them into splatters of cartoony green guts. It's a casual first-person shooter, and it's very easy to get the hang of - use the mouse to aim, click to fire. Graveyard Shift has at least 15 levels, and it might even have some secret stages I haven't unlocked yet.
They key to getting good at Graveyard Shift is learning to use ...
Reader Comments (Page 1 of 1)
zatrix said 4:55PM on 2-27-2008
As somebody who has undertaken the feat of defeating captchas for education purposes I salute the spammers. That was likely no easy task.
Reply
will said 5:41PM on 2-27-2008
I think if they used a picture system, it'd be harder to crack. Like display a picture of an apple, and ask the user what is the picture of.
If someone doesn't know what an apple is, they don't deserve to use the service.
RP said 12:07AM on 2-28-2008
You mean like an apple MacBook air or something? j/k :-)
I guess as long as they accept answers in all languages, it should work.
kingkool68 said 9:54AM on 2-28-2008
A picture system would not be as effective due to the limited number of possibilities. Plus it would require a lot more human effort on the backend to come up with pictures/correct answers compared to a computer script of contorted numbers and letters.
Everyone interested in Captchas should listen to Security Now Episode #103 where Steve Gibson talks in depth about the problem -> http://media.grc.com/sn/SN-101.mp3
lagartoflojo said 6:18PM on 2-27-2008
@will
You are assuming that everyone speaks the same language.
Reply
Nate said 6:20PM on 2-27-2008
To Will: But how many pictures can they hold? I mean with random text and numbers billions of combinations can be created. While with the picture system, pictures must be either found or taken, then listed as what they are. Limiting the potetial of the system because the spammer could just make a bitmap of every CAPTCHA due to the smaller amount of them and have it compared to the current image, a resource intensive process, yes, but an easy crack.
Reply
Marshall said 8:13PM on 2-27-2008
If they took the images that had gone through Google Image Labeler http://images.google.com/imagelabeler/ , there would already be a list of words associated with the image, so you wouldn't have to get the exact word that one person thought described the picture.
Suddenly you have a huge pool of pictures to choose from, and more than one word for each.
Nate said 8:37PM on 2-27-2008
@Marshall
Hmm, didn't know that existed. I guess you learn something new everyday.
kingkool68 said 8:05PM on 2-27-2008
Gmail should up the requirements for signing up with their e-mail accounts by stronger identity verification system. After all, Gmail isn't like any old fad website, it's the center of your web life.
I'm not worried, Google has got a lot of smart people who can work up something more robust.
Reply
RP said 12:08AM on 2-28-2008
During the invitation-only phase, didn't they require a cell phone #, to which they would send an SMS message?
How hard would that be to do again?
michael said 12:32AM on 2-28-2008
This obviously disproves some loyal Gmail users saying that Gmail is absolutely the best and invincible web mail. Just kidding.
But obviously, Gmail has it's own issues as well. I wonder how they'll fix this.
Reply