Decoding Weak CAPTCHA’s

Decoding Weak CAPTCHA’s

TLDR; Weak CAPTCHA services utilized on the internet can be programmatically solved with a fairly high success rate.

Problem

A lot of firms, including mine, have begun to recommended CAPTCHA’s be used on all web forms which feed into existing business processes (registration pages, contact pages, etc). This recommendation can be a double edged sword, because there are still several CAPTCHA services that utilize weak CAPTCHA’s, which can be readily decoded with modern image analysis techniques. That being said several individuals have asked if there is a systematic way to test the strength of a given CAPTCHA, to determine weather it’s weak or not.

Solution

There are two major methodologies currently being widely used to  decode weak CAPTCHA’s. The first technique is to remove the noise from CAPTCHA images by reversing the programmatic functions, used to add visual abstractions. Then simply comparing each character to a set of known sample characters. This method relays heavily on evaluating each weak CAPTCHA service offering and creating reliable function sets to solve individual CAPTCHA’s. The best tool for using this technique to test for known weak CAPTCHA types is pwntcha.

The second methodology uses vector based image analysis to compare each pixels location to the expected location given, each possible character. After consolidating all of these pixel location checks, each possible character is ranked based on its probability of being correct.  The success of this method relays heavily on the use of a reference font, thus if the reference font and the CAPTCHA’s font are distantly different the analysis won’t go well. The best freely available tool I’ve found using this technique to test the strength of CAPTCHA’s is captcha-decoder.

How to use

Unfortunately almost every implementation of CAPTCHA’s is going to be different enough to make web scrapping a sample set of CAPTCHA images difficult. Thus the first step is always going to be downloading three to five CAPTCHA images for testing.

Then we can run each image through pwntcha and see if it can identify the image as a known weak CAPTCHA type.

Pwntcha <img>

Test run using Paypal’s known weak CAPTCHA samples 100/100

Test run of vBullentin’s known weak CAPTCHA samples 100/100

Last we can run captcha-decoder on each of the sample images to try and get an idea if vector based analysis is going to be successful.  You will have to use your best judgment once you receive the results to determine if the risk is high enough to create an issue. Generally if all the correct letters are guessed with over 70% confidence the CAPTCHA should be considered weak. However an organization may believe 70% is too high and may only have a much lower tolerance.

decaptcha <img or img url> –min 0 –max 20 –limit 5 –channels 5 –tolerance 7

Current font test image on mondor (a public API and web resource site)

So here in this case the variable boldness of the letters tricked the vector analysis into thinking the K was an X and the L was an I.

References

Pwntchahttp://caca.zoy.org/wiki/PWNtcha
Pwntcha known compiling issueshttps://blog.bmonkeys.net/2014/build-pwntcha-on-ubuntu-14-04
Note: if you have an issue with bootstrap, edit the bootstrap file to include automake version 13 and 14.
Captcha-decoder – https://github.com/mekarpeles/captcha-decoder
Note: if you have an issue with installing, make sure the python-dev system package is installed.

Free JetCash: How We Got JetCash from the New jet.com

The following is a description of how Tyler Schmidtke and I obtained free JetCash shortly after the launch of the site. This research was conducted on July 25, 2015. We worked with Jet to ensure that the finding described in this post was remedied prior to this blog post being published.

Jet.com is a recently launched eCommerce site hoping to reinvent online shopping. There has been quite a lot of hype around it, so Tyler and I decided to check it out. In browsing the site and watching some of the videos that had been posted, we learned of JetCash, free credits for jet.com that could be earned by shopping at third party retailers. Jet refers to this as Shop Anywhere. In investigating these credits further, we learned that verification for external purchases relied on submission of order confirmation, from the third party, via email. Jet launched with a large list of external vendors, including Nike.com. What was enticing about Nike.com was that 30 percent of the total purchase price at Nike.com, could be directly converted to JetCash.

Upon seeing the conversion rate and looking at the validation method for external purchases, we decided to create an account to test this third party order validation method. Jet.com utilizes a subscription model; however, considering its recent launch, I was able to find a promo code to get 6 months of access for free. Once the account had been created, I proceeded to make a purchase on Nike.com. I didn’t want to invest too much in testing Jet’s external purchase validation, so Tyler and I decided that we would purchase the cheapest thing available (Nike sweat bands).

Nike Purchase, Nike Order, Nike Purchase Order, Free JetCash

The Nike Purchase Order.

Once the order had been placed, we waited to receive the confirmation email. We suspected that this email would be HTML, meaning that it could be easily modified prior to sending to Jet for verification. Shortly after placing the order for 1 Nike sweat band, I received an order confirmation in my inbox. The confirmation email was fairly simple, containing an order number, shipping information, and order details. Considering the validation process relied on this confirmation email, we thought that we would modify the email prior to forwarding it on to the confirmation email at Jet (anywhere@jet.com).

Nike Email, Confirmation Email, Nike Confirmation Email, Free JetCash

Purchase Confirmation email from Nike.

We then just simply edited the html and plain text portions of the email to reflect a quantity of 20 sweat bands instead of 1, and updated the prices accordingly. The email that we forwarded then looked like this:

Spoofed Email, Fake Email, Altered Email, HTML Edits, Free JetCash

The Spoofed Email We sent to Jet Anywhere.

Our purpose for modifying the email was to identify a potential vulnerability in this functionality of Jet.com, so we only modified the email to potentially obtain a slight amount of JetCash. We increased the quantity of the sweat bangs in the confirmation email to 20 and appropriately updated the tax and total. This brought the total of our fabricated order to $114.75, enough to earn us approximately $30 in JetCash.

We sent the modified confirmation email and hoped for the best. After waiting a short while, we received the following email confirming that we had earned $30 in JetCash.

JetCash, JetCash Email, JetCash Award, Free JetCash

Email showing JetCash Award.

It should be noted that we had no intention of using any of this free JetCash. This test was simply conducted for research, to potentially identify a vulnerability in this feature of Jet.com. We notified Jet of our findings and ultimately received the following response.


– Jet does not consider this a security issue as there was no bug present. The steps you describe highlight a temporary process that would allow people to commit fraud and potentially not be caught.
– In order to not delay the launch of Jet Anywhere, the program was launched with a manual verification step for the first two weeks until a more automated link tracking mechanism was in place. Some merchants had automatic link tracking in place while others were manual.
– Jet was founded on core values of trust, transparency and fairness. Jet trusted the “good” in our members to only forward us legitimate receipts and reward them with instant JetCash, and not intentionally committing fraud by altering an actual order.
– The process is now fully-implemented with click-tracking, merchant verification, and pending jet cash in case someone later cancels their purchase.

As stated in Jet’s response, this issue has been resolved. While this was not necessarily a vulnerability related to the technical aspects of Jet.com, Tyler and I still feel that this finding was a signficant flaw that existed on Jet.com during its initial launch period. During the reporting process, Jet was incredibly responsive, keeping in touch with Tyler and I until the issue had been resolved.

During this process, we also learned that Jet’s official bug bounty program is run through Bug Crowd. If you’re interested in helping Jet out by hunting for bugs, you can learn more about the program here: https://bugcrowd.com/jet