Is reCAPTCHA vulnerable to session replay?

93 views
Skip to first unread message

Cycnus

unread,
May 31, 2007, 3:18:48 AM5/31/07
to reCAPTCHA
As described in this article on PureMango.com.uk?
http://www.puremango.co.uk/cm_breaking_captcha_115.php

I'm curious about possible side-attacks to bypass reCAPTCHA
altogether.

Renaud Bompuis
http://renaud.nkaworld.com
http://blog.nkaworld.com

reCAPTCHA Support

unread,
May 31, 2007, 3:28:50 AM5/31/07
to reca...@googlegroups.com
No, we are not subject to this attack, we only allow a given recaptcha session to be used once. Even if a bug in reCAPTCHA did allow replay, it would have limited use each recaptcha session has the public key of the site embedded in to the signed session identifier. Thus the session can only be used on the originating site.

-Ben

Cycnus

unread,
May 31, 2007, 3:47:05 AM5/31/07
to reCAPTCHA
Thanks for the quick response and the clarification, I think it's an
important one.

Renaud Bompuis
http://blog.nkaworld.com
http://renaud.nkaworld.com

Cycnus

unread,
May 31, 2007, 3:47:09 AM5/31/07
to reCAPTCHA
Reply all
Reply to author
Forward
0 new messages