Re: Hardening CAPTCHA against attacks - actual people solving the CAPTCHA for mal intent

I took a look into the possible defenses versus clickjacking, and to me it looks like it might be a good idea for the recaptcha admin page (http://bit.ly/16b600a) to check the HTTP header for the X-Frame-Options line to give security recommendations to the web developer. That way if their site isn't configured to prevent clickjacking then they could be warned ahead of time. I would imagine that most high volume sites targeted by attackers would probably already use this option to prevent accounts from being stolen through clickjacking. I was looking into how hard it would be to detect an attack so statistics could be collected. This might work: (http://bit.ly/1zUFYaH), but the attackers could use the same anti-frame-busting techniques involving XSS filters to disable it. If it just used AJAX to log the referrer domain rather than trying to break out of the frame, an attacker might not even notice it. On Thursday, December 11, 2014 8:48:29 AM UTC-6, James Turner wrote: Browsers can defeat this, but only if the server providing the original captcha supplies a valid X-Frame-Options header. That being said, not a lot of servers supply the X-Frame-Options header. http://mzl.la/16b600e What you're talking about is essentially a form of clickjacking. On Wednesday, 3 December 2014 21:23:53 UTC, Allen Webb wrote: I was impressed by the new developments to reCAPCHA which use the entire user experience as input for the detection process. As a grad student working on security research I wonder how this impacts the known attacks to CAPCHAs specifically attacks which involve tricking users into solving a CAPCHA on behalf of an attacker through a third party service. There may already be measures in place against this kind of attack since it was published in 2004 (http://bit.ly/1uoQz95). I think it would be an interesting problem to solve because regardless of how good a CAPTCHA is at detecting bots the loophole of attackers tricking or motivating people to solve CAPTCHAs on their behalf may be significant. Along these lines I have the following questions: Are measures already in place for defeating this kind of attack? (I don't want to spend too much time looking into a problem that is already solved) Are there any measurements / estimates to how much this kind of attack has already been used? (It might not be worth looking into this problem yet if there isn't enough abuse of the loophole to justify the effort) -- You received this message because you are subscribed to the Google Groups "reCAPTCHA" group. To unsubscribe from this group and stop receiving emails from it, send an email to recaptcha+unsubscribe@googlegroups.com. To post to this group, send email to recaptcha@googlegroups.com. Visit this group at http://bit.ly/1dkFnYd. For more options, visit http://bit.ly/P65DvS.