Skip to content

I Think I Figured Out How to Defeat Bots!

September 5, 2011

Bots rule the world….
then one day, somebody invented CAPTCHAS.

….so bots became smarter. Using OCR, bots were able to defeat captchas. Some captchas were easily defeated even without OCR because of foolish/insecure implementations.

Then CAPTCHAS became advanced… By distorting the characters enough, captchas have become more and more difficult to solve algorithmically.



…. so bots evolved. Bots started relying on humans to solve captchas for them! By utilizing cheap labor in India, everytime a bot encounters a captcha, it screenshots the captcha, and waits for a “deCAPTCHA” service in India to send the right answer back to you! For about $2, they solve 1000 captchas…..

This is where we are, currently. Bots are winning.

Now, I think I figured out how to defeat bots.

I was checking out these captcha solving services and I noticed that the bot needs to tie in with their API so it either a) sends them a the actual served image file of the captcha, or b) sends them a screenshot of the captcha. It then keeps polling until a correct answer is returned. I suddenly remembered our systems architect/founder, Kevin Woolery, at my old work, Buzz Media. We were discussing ways to prevent users from downloading our images and reposting the content on their own website. At best, users would still be able to screenshot the images. Kevin suggested a .swf that has a high framerate that shows only a strip of them image at a time. That way, nobody can just save the image, and nobody can screenshot it either. If you try to screenshot the image, only a single strip would appear.
This was a great idea, but making the framerate of an image that high would be unrealistic. At most, it would give users a headache. It may not be a realistic solution for images… but it’s the PERFECT solution for captchas!

So…. I got to work.

  $source = @imagecreatefromjpeg("Modern-captcha.jpg"); $source_width = imagesx($source); $source_height = imagesy($source); for($row=0; $row<;$source_height; $row++){ $fn = sprintf("captchaframe_%02d.png",$row); echo("$fn\n"); $im = @imagecreatetruecolor($source_width, $source_height); $white = imagecolorallocate($im,255,255,255); imagefill($im,0,0,$white); //$im = @imagecreate($width, $height); imagecopyresized($im,$source,0,$row,0,$row,$source_width,1,$source_width,1); ImageTrueColorToPalette( $im, false, 256 ); //imagecolortransparent($im,128); imagepng($im,$fn); imagedestroy($im); }  

Using PHP and GD, I was able to automate the process of splitting up the captcha image.

Now, I noticed a nifty set of tools in the ubuntu repository called “swftools”. Using that, it was a one-liner:

png2swf -r 30 captchaframe_* -o captcha.swf

1st Attempt: animated captcha

Wait, that’s not legible for humans either. So I changed the “1” to “10” in the php code so each iteration through the loop scans 10 pixel lines rather than 1. This allows a 9 frame delay so your human eyes can have time to register what you just saw.

and…. VOILA!
animated captcha1
animated captcha2

I’ll call this the Woolery-Kim Captcha.
Bot this!

BTW, this is incomplete. All common sense measures must be in place. Utilizing sessions/flash_vars is a must. SWF’s must be dynamically generated without a unique identifier in the URI. (Rainbow tables can be made for captchas as well)
Sorry. This free wordpress blog strips embed, object, and iframe tags…. hence the link.

From → Hacks

9 Comments
  1. Dave permalink

    voilà.

  2. ymous permalink

    It could be beat. And you should be able to figure out how.

  3. Hello there, You have done an incredible job. I’ll certainly digg it
    and personally recommend to my friends. I’m confident they will be benefited from this site.

  4. Good blog post. I definitely appreciate this site.

    Stick with it!

  5. With havin so much written content do you ever run into
    any problems of plagorism or copyright infringement? My blog has a
    lot of unique content I’ve either authored myself or outsourced but it
    seems a lot of it is popping it up all over the internet without my permission.
    Do you know any ways to help prevent content from
    being ripped off? I’d genuinely appreciate it.

Trackbacks & Pingbacks

  1. The Great Food Truck Hack « cranklin.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: