Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Way to break 100% VisualCaptcha via checksum #24
Hello VisualCaptcha team,
I have worked with VisualCaptcha solution for several month, on my projects and during security audits.
After this successfull scenario I tried my script on the latest VisualCaptcha versoin (available on demo.visualcaptcha.com) and it doesn't work...
I dig again to understand "why it doesn't work on the latest version, and what security mecanism was added ?", then I found this issue : #2
Random bytes are added to each PNG (and audio) file delivered to the client's browser. This is the reason why my PNG checksum calculation failed (two same PNG visualy are not the same with checksum comparison).
So I updated my script to convert each PNG downloaded to JPG. These conversion delete all additionnal random data to make a comparable JPG file with the same checksum any time.
Via this mecanism, the final script works on all VisualCaptcha 5.x version, with random bytes added or not and with a 100% success rate (because the captcha solution is based on limited image database).
I encountered several times this kind of captcha (that are really appreciated for equipment like smartphone or tablet), so I decided to create a generic "VisualCaptchaBreaker" script to demonstrate the feasability of breaking this solution.
You can find the full script, default database and sample here:
Demonstration video against the demo.visualcaptcha.net page :
I know that VisualCaptcha has already been broken by the past (describe in issues), but no generic script was created (usable with BurpSuite, proxy, custom configuration, etc.).
I think VisualCaptcha can be updated to add more randomization in image/audio to produce different checksum in PNG and after JPG conversion.
VisualCaptcha is a good and well designed solution, but as all other "limited static-image database captcha solution", it can be broken.
Thanks for your reading and your interest,
Do not hesitate to contact me for more information,
Wow, this is great! Thanks for the thorough exposition and explanation here (and for doing your research and understanding why certain things happen the way they do).
I'm currently focused on Oikon, and very open to taking in and reviewing PRs for visualCaptcha!
Hello Bruno, thanks for your feedback and your comment.
Yes, I meant "degrade the images". I well understand that the UX is more important for VisualCaptcha than solve this kind of security issue, but there are some solutions to not degrade too much pictures and add some security features, like :
So, how to increase the VisualCaptcha's picture-database without adding thousands images ? Some ideas :
These are just few ideas, but they could improve the solution I think.
In any case, if UX is the goal of VisualCaptcha, there will always be an opportunity to "break" this solution relying on security through obscurity.
I love you've documented these here for others to take ideas from (to improve their own implementations of visualCaptcha).
These are all things people can do on their own implementations. Some become to hard to circumvent if we implement a "generic" solution, like the IP one, maybe even the timer one.
Different types of colors also start getting in the way of people with color blindness.
Increasing the image database is definitely something that could be easily done. The LSB is also an interesting technique.