Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security

Cloudflare Says New hCaptcha Bypass Doesn't Impact its Implementation (therecord.media) 23

Web infrastructure and website security provider Cloudflare told The Record last week that a recent academic paper detailing a method to bypass the hCaptcha image-based challenge system does not impact its implementation. From the report: The research paper, published last month by two academics from the University of Louisiana at Lafayette, targets hCaptcha, a CAPTCHA service that replaced Google's reCAPTCHA in Cloudflare's website protection systems last year. In a paper titled "A Low-Cost Attack against the hCaptcha System," researchers said they devised an attack that uses browser automation tools, image recognition, image classifiers, and machine learning algorithms to download hCaptcha puzzles, identify the content of an image, classify the image, and then solve the CAPTCHA's challenge. Academics said their attack worked with a 95.93% accuracy rate and took around 18.76 seconds on average to crack an hCaptcha challenge.
This discussion has been archived. No new comments can be posted.

Cloudflare Says New hCaptcha Bypass Doesn't Impact its Implementation

Comments Filter:
  • One is clearly a parking meter, but if you don't select it you will be failed.

    Or the traffic lights that sort of take up a second square, damned if you do, damned if you don't. You WILL be wrong.
    • How else can they extract more free labor from you.

    • One is clearly a parking meter, but if you don't select it you will be failed. Or the traffic lights that sort of take up a second square, damned if you do, damned if you don't. You WILL be wrong.

      Correct. People think it’s actually a human authentication algorithm, but it’s really just the machines gaslighting humans paving the way for the eventual domination and enslavement of humanity by our robotic overlords.

  • This along with endless streams of email verification nonsense is a cancer on the Internet.
    • Use your own domain name. Use the business@yourdomain.com as your email. If you have a catch-all address, this works quite well for knowing who sold your information to whom.

      • A number of mail providers allow you to use foo+bar@domain.com, so I can do foo+spammyplace1@domain.com, which at least will show whom was the first to sell my info out.

        The real cancer are the sites which demand your address and phone number to send a text to, and won't work with Google Voice. For those, I have a burner phone on a prepaid plan.

    • Yes. I'm sick of training AI for free. The more you fight tracking and fingerprinting the more they throw them at you.

      Did you know how hard it is to sign up for a "real" email address without giving up a phone number.

      • Yes. I'm sick of training AI for free.

        I for one am happy to train AI for free. It's the fastest way we'll ever advance as a society buy putting time that would go into verification to also training AI without any additional user effort.

        I hope your house catches fire and a Waymo parks in front of the fire hydrant.

    • This along with endless streams of email verification nonsense is a cancer on the Internet.

      Hear hear! Adobe is notorious for this bullshit. I manage our agency's Adobe VIP account. I add a new user to our account so they can use Acrobat. User receives email from Adobe informing them they need to create an account. User creates Adobe password. User opens Acrobat and inputs email address. Adobe says user must input security code sent to them before they can proceed.

      This all takes place in two minutes. Somehow Adobe can't track the creation of a new account via VIP and the person signing into t

  • Working as Designed (Score:5, Interesting)

    by im_thatoneguy ( 819432 ) on Monday April 05, 2021 @04:59PM (#61240322)

    our system is designed not to leak detections in real-time.

    In other words they give the illusion of passing the Captcha in order to convince antagonists to believe they've cracked it, when in reality the silent alarm has been triggered.

    I had a friend who wrote DRM for a licensing system and they said they did the same thing. There were a wealth of honey pots that would appear to defeat the DRM but set off silent alarms in the software to watermark the cracked software so that support would know that it wasn't a real customer and waste their time. The software would also appear to work at cursory glance but if used in a production environment be unusable. E.g. inexplicably corrupt every other output after 30 days. Crack developers were only interested in the fame and glory of cracking. So if your screen flashed red annoyingly after 30 days they would blame it on the software\user and not look into it. Even crackers don't want to support cracked software users. :D

    • That's wonderful, except if you need that captcha to avoid consuming programmatic resources...

      If you give it to them anyway (but HAH! you know they're not legit!)... you still gave them the resources.

      • It sounds in the article like the Captcha allows small scale attacks to go unblocked but if you attempted to deploy a widescale captcha defeat you would suddenly discover your solution's quality randomly decreases.

    • Even crackers don't want to support cracked software users. :D

      Except that isn't the reality at all. Bugs as a result of cracking triggering issues like this frequently find their way back to crackers and the piracy community very quickly and then get ironed out. It's especially funny when one group upstages the other and rubs their face in it a bit only to have the other fix the crack from the first one.

      As you said, they are interested in fame and glory and it's amazing how much post crack "support" they provide to maintain their reputation.

    • That's not what's happening here. Hcaptcha isn't sharing bot detection with the site operators. I think Cloudflare is just saying that they have other measures to stop bots such as ip reputation and browser fingerprinting. Realistically though, every time they escalate, the bot authors do too and real customers and site owners pay the price. I actually think that things like online limited sneaker drops are stupid and shouldn't exist though, so I don't feel too bad for those people.
  • The researchers said it took an average of 19 seconds of computing time to figure out the captcha.

    About how many seconds do you think it would take to run 256 copies of the script, 16 in parallel, and just try half the options? Just pure brute force? Actually about 64 invocations, because it's never all mailboxes or no mailboxes - it's always a mix.

    You can brute force the captcha in 19 seconds.
    The purpose of the CAPTCHA is to make it expensive to try 100,000 possible passwords. 19 seconds of computing power per try does that.

It's been a business doing pleasure with you.

Working...