Yahoo's CAPTCHA Security Reportedly Broken - InformationWeek
IoT
IoT
Software // Information Management
News
1/17/2008
05:42 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Yahoo's CAPTCHA Security Reportedly Broken

If a new software application posted to the Internet works, it could force Yahoo and other companies to spend yet more money to defend against spammers.

Yahoo may soon see a surge in spam coming from Yahoo Mail accounts.

"John Wane," who identifies himself as a Russian security researcher, has posted software that he claims can defeat the CAPTCHA system Yahoo uses to prevent automated registration of free Yahoo Mail accounts.

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It's a technique that presents an image depicting distorted text that people, but not machines, can identify.

Large e-mail service providers like Google, Microsoft, and Yahoo present CAPTCHA images to users signing up for new accounts to make sure that there's a real person behind the registration information. These companies do so to discourage spammers from using automated methods to register thousands of free online accounts to send spam.

CAPTCHAs are also used to prevent spam in blogs and other online forums, automated ballot stuffing for online polls, and automated password guessing attacks.

"Few months ago, we received information that [a] Yahoo CAPTCHA recognition system exists in the wild with the recognition rate about 30%," Wane says in a blog post. "So we decided to conduct few experiments. We explored Yahoo CAPTCHA and designed a similar system with even better recognition rate (about 35%)."

Various automated methods exist to defeat CAPTCHA schemes but the CAPTCHAs used by Google, Microsoft, and Yahoo have remained difficult for computers to crack.

If the software works as advertised, and it's not clear that it does, it could force Yahoo and other companies to spend yet more money to defend against spammers.

"We are aware of attempts being made toward automated solutions for CAPTCHA images and continue to work on improvements as well as other defenses," a Yahoo spokesperson said in an e-mailed statement.

John Orbeton, strategic product manager for IronPort, said that if the software works, "it could be used for spam. It could be used for phishing. It depends on the motivation of the attacker." The claimed rate of success, 35%, he said, "could create a fairly significant number of e-mail accounts."

It is ironic, Orbeton added, that image-recognition technology, which is being used to defend against the current generation of image spam, should be used by spammers to create more spam.

Not that there's any shortage of the stuff. "In 2007 we saw spam volumes increase 100%," Orbeton said. "That comes out to around 20 spam messages per day for everyone on the planet, whether they have e-mail or not."

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 6, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll