| Version 8 (modified by , 15 years ago) (diff) |
|---|
PWNtcha - captcha decoder
PWNtcha stands for "Pretend We’re Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations.
For an overview on why visual captchas are a bad idea, see Matt May’s excellent presentation, Escape from CAPTCHA, as well as the W3C’s Inaccessibility of Visually-Oriented Anti-Robot Tests working draft.
History
I created PWNtcha in 2004 as a personal research project, but only published my results, not the program itself. Given the number of captcha-breaking software available for sale now, I changed my mind and decided to publish the PWNtcha source code. It can be downloaded from Subversion:
svn co svn://svn.zoy.org/caca/pwntcha/trunk pwntcha
Note that PWNtcha is now lagging 3 years behind captcha technology and is therefore no longer a very interesting piece of software.
Defeated captchas
PWNtcha is able to detect and decode the following captchas:
| Origin | Samples | PWNtcha efficiency | Comments |
| Authimage |   | 100% | Vendor site: http://www.gudlyf.com/index.php?p=376 Weaknesses: constant font, aligned glyphs, constant glyph position, constant rotation, no deformation, non-textured background, constant colours, no perturbation. |
| Clubic |   | 100% | Weaknesses: constant font, no rotation, no deformation, aligned glyph, constant background, weak colour variation, weak perturbation. |
| linuxfr.org |    | 100% | Weaknesses: constant font, aligned glyphs, no rotation, no deformation, non-textured background, weak colour variation, weak perturbation. |
| LiveJournal? |   | 99% | Weaknesses: constant font, constant character position. |
| lmt.lv |    | 98% | Weaknesses: constant font, almost aligned glyphs, no rotation, no deformation, constant background, no colour variation, weak perturbation. |
| Ourcolony |   | 100% | Weaknesses: constant font, no rotation, no deformation, no colour variation, no perturbation. |
| Paypal |   | 88% | Weaknesses: constant font, almost aligned glyphs, no rotation, no deformation, constant background, no colour variation, no additional perturbation. |
| phpBB |  | 97% | Vendor site: http://www.phpbb.com/ Weaknesses: constant font, no rotation, no deformation, constant colours, weak perturbation. |
| Scode and derivatives |    | 100% | Vendor site: http://james.seng.cc/archives/000145.html Weaknesses: at most 3 different fonts, no rotation, no deformation, weak colour variation, useless perturbation (separate colour key). |
| Slashdot |   | 89% | Weaknesses: constant font, no deformation, constant colours, weak perturbation. |
| vBulletin |   | 100% | Vendor site: http://www.vbulletin.com/ Weaknesses: constant font, fixed glyph position, no rotation, no deformation, almost constant colours, weak perturbation. |
| Xanga |   | 49% | Weaknesses: fixed horizontal glyph position, no rotation, no deformation, constant colours, insufficient perturbation. |
Other captchas and hard captchas
These captchas can currently not be defeated by PWNtcha. Note however that this is not an acknowledgement of efficiency; for instance, EZ-Gimpy can be easily defeated by other projects. However, the Passport/Yahoo? and CFXCaptcha captchas are probably going to last for a long time.
| Origin | Samples | Comments |
| Drupal |    | |
| Trencaspammers |    | |
| Xanga (2) | | |
| 20six |   | Extremely weak captcha, easily removed perturbation. |
| Authimage (3) |   | A very good captcha, but not always human-solvable. |
| CFXCaptcha |  | A very good captcha. |
| Clearscreen |   | Weak perturbation, but interesting use of non-alphanumeric characters. |
| Cwazymail |   | An excellent idea, but a critically buggy implementation. |
| EZ-Gimpy (eg. Yahoo! Briefcase) |  | Already defeated by another project. |
| Hoke |   | A very weak captcha. |
| .Mac |  | A weak captcha that is not always human-solvable. |
| ICQ |   | A pretty good captcha that uses a wide variety of backgrounds and fonts. |
| IMDb |   | A very good captcha with a very well thought implementation, but a small dictionary. |
| MS MVPS |  | Already defeated by another project. |
| MVN Forum |  | A pretty good captcha that uses a wide variety of backgrounds and fonts. |
| Passport |  | A very good captcha, but not always human-solvable. |
| Pichan |     | An apparently weak captcha. |
| Screenname |   | A pretty good captcha that uses a wide variety of backgrounds, fonts and deformations. |
| Yahoo! |  | A very good captcha, but not always human-solvable. |
Development
Development happens in a centralised Subversion repository:
There is also a Git repository that mirrors the central one:
- using the Git protocol: git://git.zoy.org/pwntcha.git
- using HTTP: http://caca.zoy.org/git/pwntcha.git
If you want to discuss PWNtcha or report bugs, you can write to me at sam@zoy.org or join #libcaca on irc.freenode.net.
Links
Page maintained by Sam Hocevar. Contact me for more information: sam@zoy.org.
