CrowdSourcing

Captcha Bypass via Crowdsourcing

Overview of the Vulnerability

A Computer Automated Public Turing Test test to tell Computers and Humans Apart (CAPTCHA) allows applications to tell whether a user is a human or a robot. Powerful Optical Artificial Intelligence (OAI) enabled tools require a large amount of data to create models to break implementations of CAPTCHA. An attacker can leverage OAI tools to bypass captcha and make requests to critical functionality without rate limit. Forms that are often firewalled by a CAPTCHA can even be a vector for Denial of Service executing read and write from the database multiple times.

Business Impact

CAPTCHA bypass can lead to reputational damage for the business due to a loss in confidence and trust by users. It can also result in indirect financial loss to the business through the extra workloads placed on internal teams to deal with spam from an attacker.

Steps to Reproduce

1. Navigate to the following endpoint with CAPTCHA: {{value}}

2. Use {{software}} to bypass CAPTCHA

Proof of Concept (PoC)

The screenshot(s) below demonstrates the CAPTCHA bypass:

{{screenshot}}

Recommendation(s)

The configuration of CAPTCHAs should be thoroughly tested for design and implementation flaws to prevent an attacker bypassing the CAPTCHA.

For more information, please see:

• https://cwe.mitre.org/data/definitions/804.html

• https://owasp.org/www-project-automated-threats-to-web-applications/assets/oats/EN/OAT-009_CAPTCHA_Defeat