In association with heise online

19 June 2007, 15:27

Audio captchas outwitted

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

According to a security advisory published on the SecurityTracker security portal, the Simple Machines 1.1.2 forum software suite contains two flaws. The first reportedly allows the registry protection based on sound captchas to be cracked. Captchas hamper automatic logins to internet services in order to prevent spammers from misusing forums on a large scale. Generally, graphic captchas are used. These contain distorted images containing text characters that automatic programs have a hard time reading. The human user is required to enter these characters to complete the registration process.

Sound captchas play back letters or a noise over audio. Users then have to enter the word that was read out or identify the sound, which could be a plane, a car, or the like. However, if a spammer can recognize the set of noises, it is only necessary to compare the WAV files using software to detect the particular captcha within that set. The published security advisory contains a tool that demonstrates the flaw.

In addition to the captcha flaw, it is apparently possible to execute arbitrary PHP code when a Simple Machines forum entry is being written or edited. The security advisory does not, however, provide any further details of this bug.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit