PWNTCHA: defeating CAPTCHAs with software

CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) are those distorted-text boxes on websites that you have to read and re-key before you can send an email or create an account. They're used to stop robots from being used to harvest thousands of pages or to create thousands of bogus accounts or send pots of spam.

There's a lot of controversy about CAPTCHAs, not least because visually impaired users have a very hard time using them, but also because there are a lot of programmers who believe that creating an app to read CAPTCHAs just isn't that hard (the easiest way may be to inline a CAPTCHA from the site you're attacking on a site where you're offering free porn, and get the people signing up for the free porn to solve the CAPTCHAs for you).

PWNTCHA is an app that decodes different vendors' CAPTCHAs, to varying degrees of accuracy, producing evidence for the case that CAPTCHAs don't do a great job of keep bad guys out nor of letting good guys in:

PWNtcha stands for "Pretend We're Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs. This project's goal is to demonstrate the inefficiency of many captcha implementations.

For an overview on why visual captchas are a bad idea, see Matt May's excellent presentation, Escape from CAPTCHA, as well as the W3C's Inaccessibility of Visually-Oriented Anti-Robot Tests working draft.

Link (via Waxy)