Breaking The MintEye CAPTCHA One More Time

January 29, 2013 by Brian Benchoff 20 Comments

minteye

A while back we saw the MintEye CAPTCHA system – an ‘are you human’ test that asks you to move a slider until an image is de-swirled and de-blurred – cracked wide open by exploiting the accessibility option. Later, and in a clever bit of image processing, the MintEye CAPTCHA was broken yet again by coming up with an algorithm to detect if an image is de-swirled and de-blurred.

It appears we’re not done with the MintEye CAPTCHA yet (Russian, translation). Now the MintEye CAPTCHA can be broken without any image processing or text-to-speech libraries. With 31 lines of Java, you too can crack MintEye wide open.

The idea behind the hack comes from the fact that blurred images will be much smaller than their non-blurred counterpart. This makes sense; the less detail in an image, the smaller the file size can be. Well, all the pictures MintEye delivers to your computer – 30 of them, one for each step of swirl and blurring – are the same size, meaning the ‘wrong answer’ images are padded with zeros at the end of the file.

There’s a 31 line program on the build page that shows how to look at thirty MintEye images and find the image with the fewest zeros at the end of the file. This is, by the way, the correct answer for the MintEye CAPTCHA, and has a reproducibility of 100%.

So, does anyone know if MintEye is a publicly traded company? Also, how exactly do you short a stock?

Breaking The Minteye Captcha Again

January 19, 2013 by Brian Benchoff 16 Comments

cap

A few days ago we saw a post from [samuirai] at the Shackspace hackerspace in Stuttgart on breaking the minteye captcha system. Like most other captcha cracks, [samuirai] used the voice accessibility option that provides an audio captcha for blind users. Using the accessibility option is a wonderful piece of work, but [Jack] came up with an even more elegant way to defeat the minteye captcha.

For those unfamiliar, the minteye captcha provides a picture tossed through a swirl filter with a slider underneath. Move the slider left or right to eliminate the swirl and you’ve passed the, “are you human” test. Instead of looking for straight lines, [Jack] came up with a solution that easily defeats the minteye captcha in 23 lines of Python: just minimize the length of all the edges found in the pic.

The idea behind the crack is simply the more you swirl an image, the longer the edges in the image become. Edge detection is a well-studied problem, so the only thing the minteye cracking script needed to do was to move the slider for the captcha from the left to the right and measure the lengths of all the edges.

[Jack] included the code for image processing part of his crack, fortunately leaving out the part where he returns an answer to the minteye captcha. For that, and a very elegant way to crack a captcha, we thank him.

Script Defeats Minteye CAPTCHA

January 16, 2013 by Mike Szczys 41 Comments

minteye-captcha-defeated

We hadn’t heard of minteye CAPTCHA before, but we’ve seen evidence of a script that can break the system. Minteye combines two things which you probably don’t love about the Internet: advertisements and CAPTCHA. The system uses a slider to distort an advertiser’s image. Once the slider is in just the right spot the image becomes clear and you can click on submit to see if you passed the challenge.

Challenges like this are impossible for the visually impaired, so there is usually an audio option as well. In this case the audio button will instruct you to move the slider to the right, left, or that it’s already in the correct place. [Samuirai] used the text2speech API available in Google Chrome to parse these commands. As you can see above, “movies later” is a misinterpretation of “move the slider”, but he was still able to get enough accuracy to solve the challenge. See the script in action in the video after the break.

Audio challenges have been exploited like this in the past. Check out this talk about beating reCAPTCHA through the audio option.

Continue reading “Script Defeats Minteye CAPTCHA” →

Stiltwalker Beat Audio ReCAPTCHA

June 15, 2012 by Mike Szczys 13 Comments

This talk from the 2012 LayerOne conference outlines how the team build Stiltwalker, a package that could beat audio reCAPTCHA. We’re all familiar with the obscured images of words that need to be typed in order to confirm that you’re human (in fact, there’s a cat and mouse game to crack that visual version). But you may not have noticed the option to have words read to you. That secondary option is where the toils of Stiltwalker were aimed, and at the time the team achieved 99% accurracy. We’d like to remind readers that audio is important as visual-only confirmations are a bane of visually impaired users.

This is all past-tense. In fact, about an hour before the talk (embedded after the break) Google upgraded the system, making it much more complex and breaking what these guys had accomplished. But it’s still really fun to hear about their exploit. There were only 58 words used in the system. The team found out that there’s a way to exploit the entry of those word, misspelling them just enough so that they would validate as any of up to three different words. Machine learning was used to improve the accuracy when parsing the audio, but it still required tens of thousands of human verifications before it was reliably running on its own.

Continue reading “Stiltwalker Beat Audio ReCAPTCHA” →

CAPTCHA Bot Beats New Are You A Human PlayThru Game

May 25, 2012 by Mike Szczys 27 Comments

What do you put on your pancakes? Butter and syrup but not a pair of shoes? This makes sense to us, and it’s the premise of the new CAPTCHA game PlayThru. The space that is normally filled by nearly illegible text is now taken up by a little graphic-based game where you drag the appropriate items to one part of the screen. In addition to being easier than deciphering letters, this new platform shouldn’t require localization. But alas, it seems the system is already broken. [Stephen] sent us a link to a bot that can pass the PlayThru CAPTCHA.

Take a look at the video after the break to see the four test-runs. It looks like the bot is just identifying the movable objects and trying them out. Sometimes this is quick, sometimes not. But it does eventually succeed. For the PlayThru developers this should be pretty easy to fix, just make an error limit for trying the wrong item. At any rate, we can’t think defeating the current system is nearly as hard as defeating reCaptcha was.

Update: [Tyler] over at Are You A Human wrote in to share their side of this story. Apparently we’re seeing the bot play the game, but not necessarily pass it. It isn’t until the game if finished and the playing information is sent to their servers that a decision is made on whether it is successful or not. This way they can change the authentication parameters from the server side at any time.

At the same time, [Stephen] updated his bot and made a video of it playing the game without any shoes on the pancakes.

Continue reading “CAPTCHA Bot Beats New Are You A Human PlayThru Game” →

Are You Human? Resistor Edition

April 21, 2010 by Mike Szczys 72 Comments

[PT] tipped us off about a new way to screen bots from automatically leaving comments. Resisty is like CAPTCHA but it requires you to decipher color bands on a resistor instead of mangled text. This won’t do much for the cause of digitizing books, but if you can never remember your color codes this is a good way to practice. Resisty comes as a plug-in for WordPress, add it to your blog and for a geek cred +1.