Time.com Hack of reCAPTCHA
50 views
Skip to first unread message
Scott C
Apr 28, 2009, 10:00:38 AM4/28/09
to reCAPTCHA
I am in the process of implementing reCAPTCHA to protect the same type
of product that time.com was using reCAPTCHA for. This product is
equally high profile too. Will there be a postmortem on what happened
as well as steps taken to prevent hacks like this in the future?
http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/
-SC
of product that time.com was using reCAPTCHA for. This product is
equally high profile too. Will there be a postmortem on what happened
as well as steps taken to prevent hacks like this in the future?
http://musicmachinery.com/2009/04/27/moot-wins-time-inc-loses/
-SC
reCAPTCHA Support
Apr 28, 2009, 10:45:11 AM4/28/09
to reca...@googlegroups.com
Hi,
This was a manual attack. Although they tried to break reCAPTCHA with OCR technology, they were not able to do so at all, and resorted to typing ~200k CAPTCHAs by hand. This took hundreds of hours of effort on their side. Before time.com implemented reCAPTCHA, the attackers were able to submit tens of millions of votes, whereas after reCAPTCHA was in, they were only able to send in 200k votes. In fact, when we talked with the people behind the attack they said:
In any high profile contest, it's important to implement defence-in-depth. A CAPTCHA will make it hard to launch an attack, but there need to be seconary measures to filter out any attack that does occur. We would recommend implementing the following measures for added security:
- Ben--
reCAPTCHA: stop spam, read books
http://recaptcha.net
This was a manual attack. Although they tried to break reCAPTCHA with OCR technology, they were not able to do so at all, and resorted to typing ~200k CAPTCHAs by hand. This took hundreds of hours of effort on their side. Before time.com implemented reCAPTCHA, the attackers were able to submit tens of millions of votes, whereas after reCAPTCHA was in, they were only able to send in 200k votes. In fact, when we talked with the people behind the attack they said:
So were we, time and time again they implemented a new bit of "protection" ..which still left huge gaps
it wasn't so much hacking as walkign through open doors
the only thing that genuinely stumped us was recaptcha
In any high profile contest, it's important to implement defence-in-depth. A CAPTCHA will make it hard to launch an attack, but there need to be seconary measures to filter out any attack that does occur. We would recommend implementing the following measures for added security:
- Reserve the right to remove votes obtained illegitimately.
- Clean the results quickly, but not in real time. It's important to filter out solutions quickly because it removes the incentive for an attacker (they don't see their name on the top). On the other hand, you should not give away valuable data about your security measures by doing it in real time. If a user you believe is a bot votes, pretend you saw their vote and remove it later.
- Record IP addresses, unique ID cookies, User Agent and Referrer values, and timing information. These can be useful for filtering results. You should look at basic metrics like "number of votes per IP" and filter outliers.
- This site has some analysis of some security measures related to the poll: http://www.codinghorror.com/blog/archives/001256.html
- Ben
reCAPTCHA: stop spam, read books
http://recaptcha.net
Scott C
Apr 28, 2009, 11:07:25 AM4/28/09
to reCAPTCHA
Thanks for the info, very helpful. This would make a good blog post, I
checked your blog before posting here.
-SC
PS - I wasn't trying to be dramatic when saying it will be high-
profile. I work for espn.com. :)
On Apr 28, 10:45 am, reCAPTCHA Support <supp...@recaptcha.net> wrote:
> Hi,
>
> This was a manual attack. Although they tried to break reCAPTCHA with OCR
> technology, they were not able to do so at all, and resorted to typing ~200k
> CAPTCHAs by hand. This took hundreds of hours of effort on their side.
> Before time.com implemented reCAPTCHA, the attackers were able to submit
> tens of millions of votes, whereas after reCAPTCHA was in, they were only
> able to send in 200k votes. In fact, when we talked with the people behind
> the attack they said:
>
> So were we, time and time again they implemented a new bit of "protection"
>
> > ..which still left huge gaps
> > it wasn't so much hacking as walkign through open doors
> > the only thing that genuinely stumped us was recaptcha
>
> In any high profile contest, it's important to implement defence-in-depth. A
> CAPTCHA will make it hard to launch an attack, but there need to be seconary
> measures to filter out any attack that does occur. We would recommend
> implementing the following measures for added security:
>
> - Reserve the right to remove votes obtained illegitimately.
> - Clean the results quickly, but not in real time. It's important to
>
> - Ben
checked your blog before posting here.
-SC
PS - I wasn't trying to be dramatic when saying it will be high-
profile. I work for espn.com. :)
On Apr 28, 10:45 am, reCAPTCHA Support <supp...@recaptcha.net> wrote:
> Hi,
>
> This was a manual attack. Although they tried to break reCAPTCHA with OCR
> technology, they were not able to do so at all, and resorted to typing ~200k
> CAPTCHAs by hand. This took hundreds of hours of effort on their side.
> Before time.com implemented reCAPTCHA, the attackers were able to submit
> tens of millions of votes, whereas after reCAPTCHA was in, they were only
> able to send in 200k votes. In fact, when we talked with the people behind
> the attack they said:
>
> So were we, time and time again they implemented a new bit of "protection"
>
> > ..which still left huge gaps
> > it wasn't so much hacking as walkign through open doors
> > the only thing that genuinely stumped us was recaptcha
>
> In any high profile contest, it's important to implement defence-in-depth. A
> CAPTCHA will make it hard to launch an attack, but there need to be seconary
> measures to filter out any attack that does occur. We would recommend
> implementing the following measures for added security:
>
> - Clean the results quickly, but not in real time. It's important to
> filter out solutions quickly because it removes the incentive for an
> attacker (they don't see their name on the top). On the other hand, you
> should not give away valuable data about your security measures by doing it
> in real time. If a user you believe is a bot votes, pretend you saw their
> vote and remove it later.
> - Record IP addresses, unique ID cookies, User Agent and Referrer values,
> attacker (they don't see their name on the top). On the other hand, you
> should not give away valuable data about your security measures by doing it
> in real time. If a user you believe is a bot votes, pretend you saw their
> vote and remove it later.
> and timing information. These can be useful for filtering results. You
> should look at basic metrics like "number of votes per IP" and filter
> outliers.
> - This site has some analysis of some security measures related to the
> should look at basic metrics like "number of votes per IP" and filter
> outliers.
> poll:http://www.codinghorror.com/blog/archives/001256.html
>
> We'd be happy to work with you in more detail to make sure that your
> high-profile poll is safe from attackers. You can contact us privately at
> supp...@recaptcha.net.
>
> We'd be happy to work with you in more detail to make sure that your
> high-profile poll is safe from attackers. You can contact us privately at
>
> - Ben
Anonymous
Apr 29, 2009, 10:23:56 AM4/29/09
to reCAPTCHA
Why hello there Mr. espn
If your poll doesn't have anything to do with us you have nothing to
worry about.
If on the other hand your poll should have anything in it that is
potentially lulzworthy in our sense of humor you are not safe.
Even if you put in the measurements our good friend Ben gives you
here, our strength lies in our numbers and our numbers are wast.
- Anonymous
If your poll doesn't have anything to do with us you have nothing to
worry about.
If on the other hand your poll should have anything in it that is
potentially lulzworthy in our sense of humor you are not safe.
Even if you put in the measurements our good friend Ben gives you
here, our strength lies in our numbers and our numbers are wast.
- Anonymous
Reply all
Reply to author
Forward
0 new messages