-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
We already broke visualCaptcha. #25
Comments
Hey James, thank you so much for the information here! Do you have a sample of that breaking visualCaptcha? People have posted examples and there have been conversations back and forth on solutions in other places (you seem to have commented on most of them already!) like #20, #8, #2, or #6. *beep-boop*Ahem. Thanks, let me know! |
@BrunoBernardino No, but you can just take a look at ConvNetJS and make your own. As I said, no GPU required. 100% in browser. Just encode the images* into numbers using their script and pass some examples through the neural network. After a couple rounds you can get it to recognize CIFAR-10 with pretty decent (~80%) accuracy. link edit: If you load the pertained network into your browser, your computer doesn't slow down. Proof it's possible on any modern computer. *you can do pixelized random screenshots of the visualCaptcha field using some kind of headless browser implementation using PhantomJS. I bet you could code it up in a couple days. If it can do CIFAR-10, it can do simple visualCaptcha images. Especially since most of your clients don't modify the default images. |
Thank you for the further explanation! I'm having trouble understanding how would this have different implications than the ones discussed in #20? |
Also, no HSTS headers are provided on your demo site. You should provide a good example to users of your application. Not only that, your site doesn't even support HTTPS. I'm coming after you from all sides, punk. (just kidding) |
I can also retrieve all images for a simply look-me-up-in-the-table algorithm by refreshing multiple times. @BrunoBernardino |
The accessibility is even worse. Using modern freely-available machine learning algorithms (again no GPU required) we can turn it into text. Number questions are notoriously easy to solve once you have the text. For a quick example, see NLTK. (once again, no GPU required) |
If it's not even that secure, then why have a CAPTCHA anyway? I also found that if you enter "White" or "WHITE" it doesn't accept it in accessibility. Bad design. |
Thanks, James. I'm sorry but I'll have to block you at this point (just so you know in case I stop answering your comments). Your points are valid, and have been accepted and discussed, with the explanation there's no time available from me to improve that. The code's open for anyone to improve on that and I welcome constructive suggestions. I don't know what else you're looking for. I'm sorry, and thank you so much for your time and dedication. |
In this ted talk, Fei-Fei-Li presents a neural network that can recognize these objects with 99% accuracy - in the real world. With a bad background. With multiple objects. With color. Thousands more than are in the visual captcha database.
And we can always get a bot to download all the images.
Your system is a complete fraud. (or you've been controlled by a mindless robot swarm, either way)
The text was updated successfully, but these errors were encountered: