Re: Hardening CAPTCHA against attacks - actual people solving the CAPTCHA for mal intent

Browsers can defeat this, but only if the server providing the original captcha supplies a valid X-Frame-Options header. That being said, not a lot of servers supply the X-Frame-Options header. http://mzl.la/1uoQz94 What you're talking about is essentially a form of clickjacking. On Wednesday, 3 December 2014 21:23:53 UTC, Allen Webb wrote: I was impressed by the new developments to reCAPCHA which use the entire user experience as input for the detection process. As a grad student working on security research I wonder how this impacts the known attacks to CAPCHAs specifically attacks which involve tricking users into solving a CAPCHA on behalf of an attacker through a third party service. There may already be measures in place against this kind of attack since it was published in 2004 (http://bit.ly/1uoQz95). I think it would be an interesting problem to solve because regardless of how good a CAPTCHA is at detecting bots the loophole of attackers tricking or motivating people to solve CAPTCHAs on their behalf may be significant. Along these lines I have the following questions: Are measures already in place for defeating this kind of attack? (I don't want to spend too much time looking into a problem that is already solved) Are there any measurements / estimates to how much this kind of attack has already been used? (It might not be worth looking into this problem yet if there isn't enough abuse of the loophole to justify the effort) -- You received this message because you are subscribed to the Google Groups "reCAPTCHA" group. To unsubscribe from this group and stop receiving emails from it, send an email to recaptcha+unsubscribe@googlegroups.com. To post to this group, send email to recaptcha@googlegroups.com. Visit this group at http://bit.ly/1dkFnYd. For more options, visit http://bit.ly/P65DvS.