Cenzic 232 Patent
Paid Advertising
web application security lab

CAPTCHA Proxy Service

One concept I have been playing with a lot lately is interesting ways to take the robot out of CAPTCHA solving, but still solving it subversively. Sure, we came up with the mechanical turk methods, the porn proxy, using kid’s games, and a variety of other low tech solutions. However, the other day, I came up with a concept for an actual service that does this. Let me explain:

CAPTCHAs or any automated Turing tests in general attempt to see if the consumer is a robot or not by throwing up an image to test if the human can read them. The reason why webmasters use them is so they can detect if the user is real or not. So webmasters have a need, and spammers also have a need. Webmasters want to detect if a user is really a person or not, and a spammer wants to solve those CAPTCHAs in whatever way is effective. So here’s the concept.

By setting up a central proxy with APIs for webmasters you can solve both problems at once. The webmaster gets to have unique CAPTCHAs by using the API to query the proxy. The proxy pulls a CAPTCHA from somewhere on the Internet that a spammer wants to break. The spammer uses their own API to decide if the consumer types in the correct password or not and sends back a decision back to the webmaster through the proxy. The webmaster then can allow the user to succeed or fail as they choose. The only motivation for the black-hat webmaster to do this is if they represent a lower value target than the websites that the spammer tends to attack and/or if they don’t care about other websites’ problems with security.

Of course this is entirely black-hat, and provides no good service whatsoever, but it does solve two different people’s problems at the same time. Of course this symbiosis does introduce latency by slowing the consumer down while they wait for the proxy and the spammer to validate the entry. Maybe a credit system would need to be put in place based on the latency time to ensure quality. This service exploits one of the two fatal flaws in CAPTCHAs - if it works perfectly although it can detect it is a person or not, it cannot detect their intentions (the second being that if it is created by a computer it can be read by a computer). Yah, evil, I know.

7 Responses to “CAPTCHA Proxy Service”

  1. Dean Brettle Says:

    You say:

    “The only motivation for the black-hat webmaster to do this is if they represent a lower value target than the websites that the spammer tends to attack and/or if they don’t care about other websites’ problems with security.”

    But those don’t really seem like things that motivate a webmaster to actually use such a service. They are more reasons that a webmaster might not mind doing so. The only real motivations I see for the webmaster are that they don’t have to generate CAPTCHAs and they could conceivably get paid by the service, which could charge the spammers.

    The only defense I see against such a service is to offer an alternative service which is more attractive to webmasters. For example, instead of serving stolen CAPTCHAs, my alternative service could serve code that solves (part of) a computationally intensive problem that someone is willing to pay to solve. If it costs more to compute the solution to such a problem than it would cost to pay someone to solve a CAPTCHA, webmasters should get payed more to use my service than the CAPTCHA proxy.

    For an explanation of why I think such problems would cost more to solve than CAPTCHAs, see my comment on your “CAPTCHA Curiosity” post:

    http://ha.ckers.org/blog/20060906/captcha-curiosity/

  2. RSnake Says:

    No, you are absolutely right, I hadn’t thought of that and it’s a great point. That is definitely another reason sort of a CPA deal with the proxy where every valid CAPTCHA is worth $0.0001 or something. The only danger with that is the money has to come from somewhere. So the spammers would have to be paying for it, which means you’d have to deal with them not defrauding you. Tough challenge that you’d have to overcome with volume or perhaps just make them pay per impression regardless of if the CAPTCHA is solved or not.

  3. kaes Says:

    you make it sound like generating a captcha image is an expensive operation for a webserver that they would like to outsource and/or pay for?
    why not run their own software to mangle a few colourful letters and numbers?

  4. RSnake Says:

    No no, not that the web-master would pay for, but that they would GET paid for to have on their site. The spammers would pay them to have their users solve other people’s CAPTCHAS for them.

  5. Tontonq Says:

    I have an idea but may be wrong if u have a web site which spams other sites contents like ddlspot.com and if u have 800.000 hit u can want from users when they want download the crack solve the captcha and make a cUrl connection get the user’s entered text and ur other things ( username birth day) and post the data & have fun :)

  6. RSnake Says:

    Yup, any time you have a large volume of people downloading something or wanting access to something you can do this. The only downside to your proposal is you get just a sudden burst that may overwhelm volumes/needs rather than a slow steady burn like you’d get on what I described.

  7. Tontonq Says:

    i found that site but i dont think they will share the source

    http://sam.zoy.org/pwntcha/