5

I'm intrigued that many sites use seemingly random numbers with a random operator as a security check to validate that you're not a bot. Forgive my ignorance in captcha technology, but what is stopping the bot from pulling the simple math problem and calculating it on the fly?

Here's a sample I've pulled from a website and brevitized:

<h4>Security Question</h4>
<label for="bp-security-check"> 4 + 8 = </label>
<input type="hidden" name="bp-security-check-id" value="548bb54471083">
<input type="number" name="bp-security-check" required="required">
mattshu
  • 53
  • 1
  • 3

3 Answers3

11

CAPTCHAs are one area of computer security where "roll-your-own" can be a good idea.

In order to break a CAPTCHA, a bot needs to be programmed to recognize and solve the CAPTCHA. For low-volume, low-value sites, the cost to program a bot to handle even a trivial CAPTCHA such as this is greater than the expected value of breaking it. By the simple expedient of being different, the site operator has eliminated most automated attacks.

Note that a trivial system isn't sufficient to protect a site with any great value, but the benefit of being different remains: a bot operator can't spread the cost of breaking the CAPTCHA over multiple sites.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • As an example, I did this once to stop spam from a forum website: During post or registration, disabled the submit button and delayed a code to insert a key and then enable the button after few seconds. That was enough as most bots will submit the form immediately but humans will take at least few seconds to fill it. That worked because of what Mark said. If that method became popular, it could be trivial to bots to break it. – lepe Aug 19 '15 at 00:58
  • 4
    Please not that "roll-your-own" method **does not work** if attacker targets to your site. – Hannes Karppila Mar 06 '16 at 14:44
  • 1
    @HannesKarppila, if you're being specifically targeted, roll-your-own can still work. It becomes a question of whether your CAPTCHA-writing abilities are better than their bot-writing abilities. – Mark Mar 06 '16 at 19:38
1

It does stop the most rudimentary bots which repeatedly POST the same form. As you have mentioned, a more sophisticated bot can evaluate the result and append the unique nonce to every request, thus defeating this system.The most sophisticated bots can even go one step further by performing optical character recognition(OCR) on captcha images and input the results.

Perhaps the programmer was lazy in this case, or perhaps the type of form does not require such a high amount of security. E.g. If the form simply adds an email address to a mailing list, there is no need to have sophisticated captchas. However, if the form is used to submit entries to a contest, then you might probably want to have a more sophisticated captcha since there is an incentive for someone to automate the process.

limbenjamin
  • 3,944
  • 50
  • 72
  • 1,281
-2

Honestly, I don't think that math CAPTCHAs add any sort of security, not even minimal. I'm surprised that many websites still use this sort-of-CAPTCHA check, even for not-so-small websites.

The example provided by the OP can be easily solved in one javascript line:

var solution = eval($('label[for="bp-security-check"]').text().replace(/=/g, ''))

Variants with numbers written in letters are easily solvable in a few lines.

So, the reason "the attacker needs to spend time to build a custom bot" does not really apply. Indeed, an attacker still needs to spend some time to configure the bot (like selecting which <input> is the username or which <input> is the password, etc.), which is probably more time consuming than writing the above line.

There is an huge amount of different already available libraries and services for any sort of programming language that generate and validate CAPTCHA challenges. This should prevent anyone to build a bad and useless "roll-your-own" math CAPTCHA.

ocirocir
  • 97
  • 1
    "the reason "the attacker needs to spend time to build a custom bot" does not really apply" -- you *just* proved that it does apply. You spent time to build the process that is custom to that site. The protection isn't against being *solvable*, it's about providing a control against the opportunistic, pre-written bots that scour the internet looking for unprotected sites. And as long as even a simple control is effective, then it still works. By definition. There is no "silver bullet" in security. And in 2014, the libraries you mention were not widespread. – schroeder Feb 07 '22 at 13:48