Time.com Hack of reCAPTCHA - reCAPTCHA

The old Google Groups will be going away soon, but your browser is incompatible with the new version.

« Groups Home

reCAPTCHA

Home

Discussions

+ new post

About this group

Join this group

Time.com Hack of reCAPTCHA

Options

4 messages - Collapse all

Scott C

View profile

More options Apr 28 2009, 10:00 am

From: Scott C <splufda...@gmail.com>

Date: Tue, 28 Apr 2009 07:00:38 -0700 (PDT)

Local: Tues, Apr 28 2009 10:00 am

Subject: Time.com Hack of reCAPTCHA

Print | Individual message | Show original | Report this message | Find messages by this author

I am in the process of implementing reCAPTCHA to protect the same type
of product that time.com was using reCAPTCHA for. This product is
equally high profile too. Will there be a postmortem on what happened
as well as steps taken to prevent hacks like this in the future?

http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/

-SC

reCAPTCHA Support

View profile

More options Apr 28 2009, 10:45 am

From: reCAPTCHA Support <supp...@recaptcha.net>

Date: Tue, 28 Apr 2009 10:45:11 -0400

Local: Tues, Apr 28 2009 10:45 am

Subject: Re: Time.com Hack of reCAPTCHA

Print | Individual message | Show original | Report this message | Find messages by this author

Hi,

This was a manual attack. Although they tried to break reCAPTCHA with OCR
technology, they were not able to do so at all, and resorted to typing ~200k
CAPTCHAs by hand. This took hundreds of hours of effort on their side.
Before time.com implemented reCAPTCHA, the attackers were able to submit
tens of millions of votes, whereas after reCAPTCHA was in, they were only
able to send in 200k votes. In fact, when we talked with the people behind
the attack they said:

So were we, time and time again they implemented a new bit of "protection"

> ..which still left huge gaps
> it wasn't so much hacking as walkign through open doors
> the only thing that genuinely stumped us was recaptcha

In any high profile contest, it's important to implement defence-in-depth. A
CAPTCHA will make it hard to launch an attack, but there need to be seconary
measures to filter out any attack that does occur. We would recommend
implementing the following measures for added security:

- Reserve the right to remove votes obtained illegitimately.
- Clean the results quickly, but not in real time. It's important to
filter out solutions quickly because it removes the incentive for an
attacker (they don't see their name on the top). On the other hand, you
should not give away valuable data about your security measures by doing it
in real time. If a user you believe is a bot votes, pretend you saw their
vote and remove it later.
- Record IP addresses, unique ID cookies, User Agent and Referrer values,
and timing information. These can be useful for filtering results. You
should look at basic metrics like "number of votes per IP" and filter
outliers.
- This site has some analysis of some security measures related to the
poll: http://www.codinghorror.com/blog/archives/001256.html

We'd be happy to work with you in more detail to make sure that your
high-profile poll is safe from attackers. You can contact us privately at
supp...@recaptcha.net.

- Ben

On Tue, Apr 28, 2009 at 10:00 AM, Scott C <splufda...@gmail.com> wrote:

> I am in the process of implementing reCAPTCHA to protect the same type
> of product that time.com was using reCAPTCHA for. This product is
> equally high profile too. Will there be a postmortem on what happened
> as well as steps taken to prevent hacks like this in the future?

> http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/

> -SC

--
reCAPTCHA: stop spam, read books
http://recaptcha.net

Scott C

View profile

More options Apr 28 2009, 11:07 am

From: Scott C <splufda...@gmail.com>

Date: Tue, 28 Apr 2009 08:07:25 -0700 (PDT)

Local: Tues, Apr 28 2009 11:07 am

Subject: Re: Time.com Hack of reCAPTCHA

Print | Individual message | Show original | Report this message | Find messages by this author

Thanks for the info, very helpful. This would make a good blog post, I
checked your blog before posting here.

-SC

PS - I wasn't trying to be dramatic when saying it will be high-
profile. I work for espn.com. :)

On Apr 28, 10:45 am, reCAPTCHA Support <supp...@recaptcha.net> wrote:

- Show quoted text -

> Hi,

> This was a manual attack. Although they tried to break reCAPTCHA with OCR
> technology, they were not able to do so at all, and resorted to typing ~200k
> CAPTCHAs by hand. This took hundreds of hours of effort on their side.
> Before time.com implemented reCAPTCHA, the attackers were able to submit
> tens of millions of votes, whereas after reCAPTCHA was in, they were only
> able to send in 200k votes. In fact, when we talked with the people behind
> the attack they said:

> So were we, time and time again they implemented a new bit of "protection"

> > ..which still left huge gaps
> > it wasn't so much hacking as walkign through open doors
> > the only thing that genuinely stumped us was recaptcha

> In any high profile contest, it's important to implement defence-in-depth. A
> CAPTCHA will make it hard to launch an attack, but there need to be seconary
> measures to filter out any attack that does occur. We would recommend
> implementing the following measures for added security:

> - Reserve the right to remove votes obtained illegitimately.
> - Clean the results quickly, but not in real time. It's important to
> filter out solutions quickly because it removes the incentive for an
> attacker (they don't see their name on the top). On the other hand, you
> should not give away valuable data about your security measures by doing it
> in real time. If a user you believe is a bot votes, pretend you saw their
> vote and remove it later.
> - Record IP addresses, unique ID cookies, User Agent and Referrer values,
> and timing information. These can be useful for filtering results. You
> should look at basic metrics like "number of votes per IP" and filter
> outliers.
> - This site has some analysis of some security measures related to the
> poll:http://www.codinghorror.com/blog/archives/001256.html

> We'd be happy to work with you in more detail to make sure that your
> high-profile poll is safe from attackers. You can contact us privately at
> supp...@recaptcha.net.

> - Ben

> On Tue, Apr 28, 2009 at 10:00 AM, Scott C <splufda...@gmail.com> wrote:

> > I am in the process of implementing reCAPTCHA to protect the same type
> > of product that time.com was using reCAPTCHA for. This product is
> > equally high profile too. Will there be a postmortem on what happened
> > as well as steps taken to prevent hacks like this in the future?

> >http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/

> > -SC

> --
> reCAPTCHA: stop spam, read bookshttp://recaptcha.net

Anonymous

View profile

More options Apr 29 2009, 10:23 am

From: Anonymous <slashdo...@gmail.com>

Date: Wed, 29 Apr 2009 07:23:56 -0700 (PDT)

Local: Wed, Apr 29 2009 10:23 am

Subject: Re: Time.com Hack of reCAPTCHA

Print | Individual message | Show original | Report this message | Find messages by this author

Why hello there Mr. espn

If your poll doesn't have anything to do with us you have nothing to
worry about.

If on the other hand your poll should have anything in it that is
potentially lulzworthy in our sense of humor you are not safe.

Even if you put in the measurements our good friend Ben gives you
here, our strength lies in our numbers and our numbers are wast.

- Anonymous

End of messages

« Back to Discussions

« Newer topic

Older topic »

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy

Account Options