The captcha module has been cracked! We have set the Captcha module but it won't help to prevent the spam. We have logged the submitted form states (there are tons of them I'm afraid) and notice that the Captcha key code is provided correctly by the spammer (see below).

We are confident we are dealing with a botnet here because the spam messages originate from very different IP-addresses.

I think a message should be posted on the captcha module's page that it's insecure.

array (
  'storage' => NULL,
  'submitted' => true,
  'values' => 
  array (
    'name' => 'PimpStarFilms',
    'mail' => 'zamami-d@ii-okinawa.ne.jp',
    'homepage' => 'http://www.insurproviders.net/',
    'comment' => ' <a href="http://www.insurerspolicies.net/">home insurance</a> 96675 <a href="http://www.find-insurers.com/">State Farm Insurance - Kelly Cloyd</a> %OOO ',
    'format' => '1',
    'cid' => NULL,
    'pid' => NULL,
    'nid' => '168',
    'uid' => 0,
    'op' => 'Opslaan',
    'submit' => 'Opslaan',
    'preview' => 'Voorbeeldweergave',
    'form_build_id' => 'form-59f679f6f00686b796e822b8bfaf3d60',
    'form_id' => 'comment_form',
    'captcha' => '',
    'captcha_sid' => 5118,
    'captcha_token' => '44e4f0ef6661afa1eb17b7e2b3dee536',
    'captcha_response' => 'HAaRm',
    'subject' => 'home insurance 96675 State',
    'date' => 'now',
    'timestamp' => 1308279211,
  ),
  'clicked_button' => 
  array (
    '#type' => 'submit',
    '#value' => 'Opslaan',
    '#weight' => 19,
    '#post' => 
    array (
      'name' => 'PimpStarFilms',
      'mail' => 'zamami-d@ii-okinawa.ne.jp',
      'homepage' => 'http://www.insurproviders.net/',
      'comment' => ' <a href="http://www.insurerspolicies.net/">home insurance</a> 96675 <a href="http://www.find-insurers.com/">State Farm Insurance - Kelly Cloyd</a> %OOO ',
      'form_build_id' => 'form-57ef1106a82b25b81642201a905d4ea0',
      'form_id' => 'comment_form',
      'captcha_sid' => '5118',
      'captcha_token' => '67e73a651a3eac7b66f281d724b428b7',
      'captcha_response' => 'HAaRm',
      'op' => 'Opslaan',
    ),
    '#programmed' => false,
    '#tree' => false,
    '#parents' => 
    array (
      0 => 'submit',
    ),
    '#array_parents' => 
    array (
      0 => 'submit',
    ),
    '#processed' => false,
    '#description' => NULL,
    '#attributes' => 
    array (
    ),
    '#required' => false,
    '#input' => true,
    '#name' => 'op',
    '#button_type' => 'submit',
    '#executes_submit_callback' => true,
    '#process' => 
    array (
      0 => 'form_expand_ahah',
    ),
    '#id' => 'edit-submit',
  ),
  'captcha_info' => 
  array (
    'form_id' => 'comment_form',
    'captcha_sid' => 5118,
    'module' => 'image_captcha',
    'captcha_type' => 'Image',
  ),
  'process_input' => true,
  'redirect' => 
  array (
    0 => 'node/168',
    1 => NULL,
    2 => 'comment-1001',
  ),
)

Comments

soxofaan’s picture

Component: Image Captcha (image_captcha) » Captcha API (captcha)
Category: bug » support
Priority: Critical » Normal

Hi,

All CAPTCHA systems can be easily "cracked"/"hacked"/"bypassed": just put a human in front of it :)
This is by design.

Kidding asside: I think this is duplicate of #519314: Spam bot getting through?
The point is: it's not because you get spam content, that it is posted by automated spam bots, humans can also post spam.
I know a site where you can buy 1000 "humanly" solved CAPTCHA's for one dollar if I remember correctly.

Also, the CAPTCHA module is not about security, only about putting a road block in automated posting workflows.
Once you have a human in the loop, CAPTCHA is all but a security measure, at most an annoyance.

I'm not going to claim that the CAPTCHA module is 100% unhackable, but as far as I know, it works as expected.
I need hard evidence for the contrary: something like a step by step recipe to circumvent it.
But you getting spam content on your site, is not enough to flag the CAPTCHA module as "insecure".

If you want more "intelligent" CAPTCHA/spam handling, you could also try something like http://drupal.org/project/mollom

Some more references: #1055804: Captcha sessions still being reused

bvanmeurs’s picture

Hi soxofaan,

After installing the re-captcha module the spam suddenly stopped.

Personally, I believe it was a spambot. I don't know if it worked by humanly solved captchas though.

soxofaan’s picture

Status: Needs work » Closed (duplicate)

(Forgot to flag it as a duplicate)

doomed’s picture

I'm having the same issue on a Drupal 6.10 site with Image CAPTCHA 6.x-2.1.

It was ok for a while, but recently lots of spaaaaaam!!!

I'll have to update the module and probably post later with results.

stokemaster’s picture

Version: 6.x-2.4 » 7.x-1.0-alpha3

My site has started to receive some spams today. I am not sure if this is cracked due to human cracking or not. But definitely the contents of the spams are gibberish so I suspect at least the part of the mechanisms are automated. The posts are also appearing to be coming from all different IPs, but some spam messages seem to repeat again.

At one point this morning, I have added the noise specs, but that did not help.

I have added random lines and that seemed to stopped the attack.

If there is anything I can do to help provide more reports and where to get the reports, I will be happy to report them.

stokemaster’s picture

Couple of more info.

I did a traceroute of the origin of the attacks on my site and they were coming from China and appear to be from multiple sources in China. Attack begins then within 2 minutes or so they would solve the CAPTCHA, after that they use the Track on the page available for some purposes, perhaps to check the success.

I was previously using the mode where once the response was successful, no more responses are needed. I switched that to require the response every time, but the breaching continued. This could be because of the session re-use? I am not sure. Just to make sure, I rebooted the server VM also.

Changing the complexity of the Captcha slightly does not seem to help, so it is most likely the attack must involve human readers.

I have also Googled the phrases that are left as comments and they appear to be targeting Drupal sites.

I have since switched to reCaptcha module and at this moment there are more attacks but no more success.

giorgio79’s picture

soxofaan’s picture