Buster: is there a future for CAPTCHA?
Hello everyone, this week’s a short blog to try and keep people engaged to my writing instead of leaving it as desolate as it has been. As an update, I’ve passed my annual CompTIA exams and can continue to pursue IT and infosec topics for another 1000 days. I’m incredibly thankful for the people who have surrounded and encourage me to get to this point and go beyond from here. I turned a small thank you into a blog post. If you have free time, feel free to read through it.
I digress to this week’s topic.
The hot button subject right now is CAPTCHA, aka ‘Completely Automated Public Turing test to tell Computers and Humans Apart’, aka “Does the street light also include the utility pole?” And yes, you can play doom on them.[1]
Captchas were used since 1997 but termed in around the 2000’s, before automated scripts and crawlers could really do much more than scour the web for sites and pages to collect for backrub, yahoo and askjeeves. In the year 2021, do they still have a necessary home? There’s around 20 providers, but are they effective?[3]
Enter the bots, the scripts, the AI and machine learning. They can do anything from image heuristics to audio synthesis to deepfake rendering of nearly-real people all through software. Not to say that security researchers don’t find ways to go around captchas similar to bots to post content anyway, through header changes, proxying or scripts. However, we’re focusing on scripts and bots for this blog. The question to answer from here is: Can bots break a captcha? The answer in 2021 is yes, they can.
Meet Buster, a plugin gaining popularity fast. Buster is often used alongside uBlockOrigin and other script tinkering tools. Buster takes the captcha on the page and seemingly reads the audio file to bypass it. This isn’t anything new to browser addons, I could reminisce about Firefox plugins such as Betterprivacy and Noscript from years past which stopped nosy popups and other Rogue Antivirus scams from strutting their stuff back in 2006. It’s an interesting look back in time, but not necessarily relevant to how buster is exemplifying how users see captchas as more a nuisance than a help.
Fun fact: Noscript is still around today!
That’s to say, the captcha isn’t looking for a correct answer only. CAPTCHAS also looking at other datapoints to calculate a risk score for each user to solve them. Mouse movements, keystroke rate (not keylogging. By god that’d be bad) and time on the webpage. IP and geolocation as well. All of this churns out an allow or deny for the current user session, stored on either a cookie or local file.
So should we, the security department, with our No Fun Allowed signs and an iron grip on our users, make these risk markers stricter to thwart those pesky bots? Or is it time for captcha to finally die out like the dinosaurs? Well one size fits all is a bad example for tacky concert tshirts, so it might be a bad example here too.
Lets look at some use cases and figure out the problem.
1. Mary has a cooking blog. Mary’s blog allows comments on the recipes she makes. Mary puts in a captcha for the comment section. This introduces new problems. Mary’s readers who require accessibility features have a much harder time using her site, and new comments are discouraged as a result. Mary loses engagements.
2. Bert owns a website where he sells PS5 bikes. Bert’s PS5 bikes are in high demand right now, and he sells out the minute he gets them in stock. He implements captchas to prevent simpler bots from circumventing the checkout system and ordering more than 1 bike. This works at first, but later introduces new problems. Bert now has to deal with smarter bots and users using scripts that can get around captchas, and legitimate users have a slower time getting to checkouts, giving the bots and scripts a leg up on the situation. It also hurts accessibility, similar to Mary’s problem.
It’s not so controversial to say captcha may not be the right solution to AI for the year 2021. Well, what should we be using instead?
One of my personal favorite checkout systems comes from Wizard of the Coast and their ‘Secret Lair’ limited stock products. The service they use is queue-it[4]. It creates a virtual line for users to preorder items and it prevents supply sellouts. This is similar to Ticketmaster whos theater seat reservation software holds your spot to order for a short time. This system works fantastically to both avoid PR backlash about supply, and to keep customers aware if they’re going to get their product or not. One problem I foresee with this tool however is popularity. There will be hackers and pentesters looking at how to abuse this system to their advantage. Security through obscurity is often times not security at all. Additional solutions will need to step forward over time.
So if you’re a small business, stocking your site and guarding it with a captcha is an okay solution for the short term. For the long run, a specialty solution would be better. This would be the best idea for Bert. For Mary, considering a 3rd party to handle comments and having anti-spam controls alongside site security would be a better route.
In conclusion, the captcha is a tool that is showing its age. We need better solutions for the current era with how machine learning AI has evolved to the modern era. As the tide shifts back to users with better defenses, maybe you’ll get a chance to grab that PS5 bike without bit-crunching bots breaking the digital doors down.
Sources:
[1]https://vivirenremoto.github.io/doomcaptcha/
[2]https://www.smbc-comics.com/comic/2011-02-17
[3] https://www.programmableweb.com/news/10-top-captcha-apis/brief/2019/11/17
