CMSC 134 - Writeup 2

# Writeup 2: CAPTCHA-ng Up With Today's Bots ###### tags: `Web Security`, `CAPTCHA`, `Bots` --- <div style="text-align: justify"> ## A Brief Introduction on CAPTCHAs CAPTCHA is an acronym that stands for "Completely Automated Public Turing test to tell Computers and Humans Apart." the system is designed to determine whether a supposed user is a bot or an actual user. CAPTCHAs provide a challenge for users. The good ol' text CAPTCHAs work primarily by showing users an image that would contain a randomly generated string of text which the user would have to input correctly to prove their human identity. The text shown is often distorted in some way for the automated programs to have a hard time deciphering. By requiring users to transcribe the text from the image accurately, CAPTCHAs use the fact that humans can recognize and interpret visual patterns, thus differentiating them from bots. For humans with visual impairments, CAPTCHAs are incorporated with audio challenges, which require them to listen and transcribe the given string of text. These audio challenges serve the same purpose as the usual visual CAPTCHAs but cater to users with different accessibility needs. This mechanism helps prevent automated programs, such as spambots, from abusing online services, like creating fake accounts, spamming forms, or even launching some dangerous attacks. A "shield" like CAPTCHAs is important to maintain the integrity of online interactions and safeguard against various forms of cybercrime. ## Some Obvious Disadvantages The main purpose of a CAPTCHA test is to prevent bots from accessing and using parts of the web for malicious purposes. However, the implementation of such system also has its fair share of downsides. For instance, they might negatively affect user experience. CAPTCHA tests take time. Yes, 99% of the time these challenges are fairly easy and straightforward. However, if you take into consideration the sheer number of these challenges you have taken online, you'd probably be surprised at how much time you've spent on them in total. See: [Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness](https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/) There we are in a rush to access a website, but then we're hit with these CAPTCHAs. Sometimes, it's almost as if they know when you're in a hurry, throwing more and more challenges in the way. One of our members had an unpleasant experience: "There was a time I ended up not securing a ticket for a concert I was about to attend. I wasn’t frustrated, really, I wasn’t huhu!" Secured ticket: 0 Answered CAPTCHA: 21 <div style="text-align: center;"> <img src = "https://hackmd.io/_uploads/ryg9Sp9xR.jpg" style="width: 60%; height: auto;"> </div> </br> There are also other times when these CAPTCHAs prove to be a hassle and really get under your skin, especially if you're someone who tends to overthink. One relatable experience for image CAPTCHAs is that you might find yourself debating whether a very tiny piece at the bottom right part of a traffic light in a separate box still counts as another traffic light. <div style="text-align: center;"> <img src = "https://hackmd.io/_uploads/HyTrna9gC.jpg"> </div> </br> And it's not just us – imagine folks who can't even recognize what a fire extinguisher looks like, or those who spot a different type of taxi in their country than what's shown in the CAPTCHA images. And let's not forget about people with visual impairments struggling with audio CAPTCHAs. I guess, it's a little known fact that CAPTCHAs, somehow, can discriminate people too. ## How Do They Hold Up Today? Older forms of CAPTCHA tests are not impenetrable and can be bypassed quite easily. As a matter of fact, there are plenty of resources that crack CAPTCHAs using OCR (Optical Character Recognition) and other forms of image recognition software to bypass these CAPTCHA tests. In order to combat these methods, people have started developing more advanced CAPTCHA systems. Google's reCAPTCHA is a relatively well-known example of such. To make the system more robust, reCAPTCHA v2 introduced a system that tests users using images from the real world rather than just an image of a randomly generated string of text. <div style="text-align: center;"> <img src = "https://hackmd.io/_uploads/SkgSO35e0.png" alt = "recaptchav2"> </div> </br> Aside from reCAPTCHA, there's also hCaptcha, visualCaptcha, and more. These services are able to implement CAPTCHA in their own ways. They're great and all because they're a step up from the simple text-based CAPTCHAs, but they're certainly still not invincible. Over time, bots have mastered CAPTCHAs, largely due to advances in machine learning and artificial intelligence. Bots can already solve most forms of CAPTCHAs at higher success rates than humans. In fact, there are already programs out there that crack CAPTCHAs for us. Take Buster, CAPTCHA Solver, or NopeCHA, for instance. With these Chrome extensions, you don't even have to lift a finger as these extensions do the work for you, you just add them to your browser, and poof! No more proving you're human. (Admittedly, we plead guilty as some of us have actually resorted to using these extensions too ><) <div style="text-align: center;"> <img src = "https://hackmd.io/_uploads/B1RLUacxC.png" alt = "kek"> </div> Bots have become more complex, hence a need for more complex solutions arises. Invisible reCAPTCHA (or reCATPCHA v2 Invisible) and reCAPTCHA v3 took another step further by assessing the user without using a test. Instead, they do this by using user data and browser information. Visually, it looks straightforward because all you need to do is to click a box, but there's actually a lot of stuff going on in the background. <div style="text-align: center;"> <img src = "https://hackmd.io/_uploads/Hku4PT5eC.png" alt = "kek2"> </div> Now this looks promising, but it is still not invulnerable to advanced bots. APIs such as ZenRows are capable of bypassing these. Moreover, there is also the issue of how Invisible reCAPTCHA uses your data to determine whether you are a bot or not. This is because it uses your mouse movements as a basis for assessment, which pretty much opens up the possibility for hackers to use this data for malicious intent. [Here's a related query on Stack. The verified answer cites some interesting papers too.](https://security.stackexchange.com/questions/178584/can-captcha-solving-patterns-be-used-to-track-identify-a-person) ## Conclusion Based on what we've covered, it's safe to say that CAPTCHAs work, but only to a certain extent. Typical CAPTCHAs are somewhat outdated but still serve a purpose. AI and Machine Learning have advanced to the point where CAPTCHAs can be solved with a sufficiently trained bot/machine. However, that does not necessarily make captchas *completely* obsolete, since they can still be considered as a protective layer against *less advanced* types of bots. With that being said, it is arguable whether this level of protection is worth the inconvenience that comes with the system itself. If we're talking about older CAPTCHA systems, then it's easy to say that it's probably not worth all the hassle. However, if we take the more advanced implementations of CAPTCHA into consideration, then you could make a stronger case for it being worth it, since circumventing them would require more resources. (better trained bots, more expensive cracking services, etc.) It really depends on the circumstances, and in the end, it is likely that we will still find CAPTCHAs in websites we visit across the internet. It should also be emphasized that there are other alternatives such as Cloudflare's Turnstile and WP Armour Honeypot that are also effective (perhaps even more) in dealing with bots, but even they could have vulnerabilities. Technology is in a state of perpetual advancement, and some of these solutions may eventually be trivialized by even more advanced bots in the future. This applies to CAPTCHAs and every (if not all) cybersecurity measures. It is simply something we accept and adapt to. In the words of a fellow Redittor from r/computerscience: "...they [CAPTCHAs] will be bypassed, but it's an expensive process and isn't quick either. Such is the field of security in general, perfect security doesn’t exist and vulnerabilities have to keep getting fixed." </div> *References* - Can CAPTCHA-solving patterns be used to track/identify a person? (n.d.). Information Security Stack Exchange. https://security.stackexchange.com/questions/178584/can-captcha-solving-patterns-be-used-to-track-identify-a-person - How CAPTCHAs work | What does CAPTCHA mean? | Cloudflare. (n.d.). https://www.cloudflare.com/learning/bots/how-captchas-work/ - Humanity wastes about 500 years per day on CAPTCHAs. It’s time to end this madness. (2024, January 9). The Cloudflare Blog. https://blog.cloudflare.com/introducing-cryptographic-attestation-of-personhood/