Script Defeats Minteye CAPTCHA

minteye-captcha-defeated

We hadn’t heard of minteye CAPTCHA before, but we’ve seen evidence of a script that can break the system. Minteye combines two things which you probably don’t love about the Internet: advertisements and CAPTCHA. The system uses a slider to distort an advertiser’s image. Once the slider is in just the right spot the image becomes clear and you can click on submit to see if you passed the challenge.

Challenges like this are impossible for the visually impaired, so there is usually an audio option as well. In this case the audio button will instruct you to move the slider to the right, left, or that it’s already in the correct place. [Samuirai] used the text2speech API available in Google Chrome to parse these commands. As you can see above, “movies later” is a misinterpretation of “move the slider”, but he was still able to get enough accuracy to solve the challenge. See the script in action in the video after the break.

Audio challenges have been exploited like this in the past. Check out this talk about beating reCAPTCHA through the audio option.

http://www.youtube.com/watch?v=u0M7gmS5Eg0

[Thanks Hadez via Shackspace blog]

41 thoughts on “Script Defeats Minteye CAPTCHA

  1. Also, this reminds me of an episode of The Amp Hour podcast quite some time ago… Dave Jones predicted “captcha advertising” as something we’d see cropping up eventually. Looks like he was right on the ball with that one. Nice going Dave.

    1. At some point, maybe 10 years ago, it wasn’t unusual for a certain type ;) of sites to
      have password protection, with a hint like: click banner, password is 3rd word second line

  2. I Don’t think we should be patting the captcha defeaters on the back.
    I think captcha serves a valid purpose.
    As I posted last time this came up: if you release your code so others can defeat it too, you may be smart, but you still suck.

      1. There’s no such thing as a “unbreakable captcha”. You can always just crowdsource answers to captchas (for instance, by building a “free” porn site that requires people to answer captchas.. that are actually just forwarded from other sites, to let spambots or whatnot in).

      2. I see hundreds of idiot children, and older man-children posting videos to the whole world how to defeat some of the toughest locks conceived after they watch a youtube, and spouting: “I’m jush posting dish video cus I whanna show how insecure deesh locks are”.
        The world does not need to know how to pick locks. Children should not know how to pick locks. Morons should not be taught how to pick locks !!!
        So by extension…
        Coders should not be making captcha breaking solutions for idiot spammers. As the sellers themselves are not bright enough to break it themselves, the captcha works, until the coders say “dish ish so lame, I could write a script…”.
        So who’s respondsible for the need for better captchas?
        Breaking weak security is not an accomplishment. It’s play-time on a snow day.
        I do hacking of things too, but I sure as hell don’t tell the world the vulnerablities of everything I find.
        It’s enough for me that I know.
        People need to re-learn to just STFU !!

        1. This is BS form one end to the other. Evolution WILL break the captchas (locks, etc) regardless of your penchant for security through obscurity. Exposing an insecure system, while annoying for the ones responsible with security, is not a bad thing after all, in the long run. Think about it.

          1. In general, security thru obscurity doesn’t work. But this isn’t about national security or bank vaults. Captchas are there to hinder spammers. Spammers are opportunists and bottom-feeders.

            My point is, if you’re gonna work on tools like this, leave them in the hands of the clever people. Same with hacking “tools”. The sort of person who makes the effort to learn obscure bits of RFCs, and divine applications’ memory maps, is generally too civilised and intelligent to go round crashing websites because some admin pissed them off.
            At the very least, if hacking’s left to the clever people, there’s just a lot less of them!

            Captchas aren’t fool-proof but they are idiot-proof. Why put tools into the hands of idiots, who wouldn’t be able to create, or even understand, those tools themselves? When, in this case, there’s nothing to be gained except yet more spam?

            Elitism, in all it’s many forms, is probably 80% of the reason that society hangs together.

          2. Captchas aren’t meant to be unbreakable, just inconvenient enough to deter most spammers, who’re lazy.

            To use a lock analogy: Captchas are like a cheap bike lock. Easy to break for anyone who really wants to, but deterring people from just stealing it on a whim as they walk by.

        2. Are you kidding me?
          This whole minteye captcha is seriously flawed (not only the audio assistence). If people/the company do not know the issues, there will be people who will exploit it.
          And if children do not know how to pick locks, how will this ever prevent other people from picking locks?

        3. What you are just saying is the discussion we have for years now. I see your point, but I think we all can learn more when we share this knowledge. As a hacker I like to share everything I know, because I believe that only free information can create a better world.
          And if a kiddy knows how to break sth., then some professional spammers know that too. Or somebody just sells this knolwedge to them. So I prefer to have free information, so everybody can learn and I don’t want to be infantilized.

        4. There’s a difference between “tough, but eventually breakable” and “child’s play”.

          Picking a good lock is still hours of work, for each individual lock, so the lock still serves a valid purpose although there are people who can defeat it. Same goes for, say, captchas that you can’t script where you at least have to pay a bunch of people to manually solve them by the dozen.

          Scriptable captchas, OTOH, are nothing more than a speed bump, and an annoying one at that. Like a certain type of lock that will just fall out of the door if poked at a specific angle.

          You would want to know about those locks, wouldn’t you? Because the crook around the corner _will_ already know about them. Spammers will just _pay_ black-hats to crack the captcha instead of waiting for white-hats like samuirai to get bored.

          Also, once minteye fix their captcha, they can just deploy the fix to their servers and they’re done (as opposed to changing a bajillion of locks on a bajillion of doors), so the only actual “harm” done by samuirai releasing the source is that they have an extra incentive to actually go and fix their stuff.

          Breaking weak security may or may not be much of an accomplishment, but it’s necessary to separate the weed from the chaff.

        5. Dude, chill out. Security through obscurity never holds up, because all information yearns to be free. How anyone can argue against the sharing of information is beond me. Not only does it fly in the face of the first amendment, it goes against everything that ‘hacking’ is about. Neither you nor I have any right to tell these people what to post so maybe you need to relearn how to STFU.

          Incidentally my 9 year old son actually did learn how to pick locks entirely on his own from youtube. I encourage him to learn about the world around him and anything he’s interested in.

      3. Captchas may serve purpose but they are still a pain. I use them myself but would never consider anything like this. These captchas sound like they would be worse than the normal ones. I don’t know how they are doing it but it must be a whole lot of javascript, Flash, or at least a little javascript and an animated gif/png. All making it more likely to break in uncommon browsers or take longer to download, etc…

        If releasing a howto on breaking it forces sites back to plain old static image captchas then that seems like a very worthwile purpose to me!

    1. Captcha may serve a valid purpose but if it is vulnerable to this sort of attack, ALL IT DOES IS IRRITATE LEGITIMATE USERS! (Similar to DRM and other anti-software-abuse stuff)

      The ones I hate are when you clearly typed the right combination and it rejects the answer. Never did get in to that forum.

      1. This is true. The captcha arms race has reached the point where there are plenty that I can’t read myself. And my programmer assures me I’m human.

        I suppose creating Turing tests is more difficult than defeating them. Image recognition is reaching it’s end as a useful test. Perhaps a captcha based on this thing you call… love…?

        1. Who’s running the captcha arms race anyway? Are regular captchas getting broken in any large numbers? Or is it just captcha creators trying to be innovative for the sake of looking better than the last captcha creator? Is anyone here knowledgable about this?

  3. Very cool. As others have said, this captcha is a bit pants and barely used anywhere online but it’s still a very fun project and an interesting way to get past it.

    If a captcha can be broken by bots then that fact should be shared with the world. Because it means the only people being annoyed by the captcha are real users and the spammers are just bypassing it anyway.

  4. this is just in their demo so i dont know if it will be in the actual usa of minteye by a web site but since the image urls are exposed in the page’s activity log a hacker can crack it by running some grid over the images and lining up the straight lines and comparing images

    1. I signed up and got my private and public key to insert the captcha on my website. In my demo I use those. So it’s not their demo, it’s what you actually get when you want to use it. Straight line algorithms also work against it. My roommate has a PoC for that too. But I thought the speech2text API is more elegant :)

    2. Also, going by straight lines requires the image to actually _have_ straight lines in the first place. Several of their images have natural subjects, like flowers or people, where you would be hard pressed to identify a straight line.

  5. I tried the demo of the captcha company. It seems there is quite a large range where it accepts the user as human. By setting the slider to the middle position and clicking submit I was able to get in everytime in less than 10 tries. Why not just make your bot do that, it could even submit several requests at the same time…

  6. Ahh bummer. I was looking into the Minteye option a couple of weeks back as it would be much nicer for phone app development versus the standard text CAPTCHA.

    Glad I didn’t follow through. This article is going to be popular amongst the malicious.

      1. There’s a heavy metal forum where the captcha is a randomly selected question like “what’s the name of Ozzy’s first band” or “what has 10 eyes, 9 arms, and sucks.” Amused the hell out of me when I first saw it. It can be beaten with a simple script, but it’s such a niche captcha that nobody has a ready to go script lying around, and anyone willing to write one for this random-ass small-time site is gonna get in sooner or later anyway.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.