bestkungfu weblog

In a paper I’m writing for one of my working groups, I’m describing the accessibility problems related to visual verification systems, also known as CAPTCHA. You’ve seen these before (unless, that is, you can’t see, in which case you’ve experienced the problem with them): a block of garbled text shows up, and you have to type in what it says. It’s designed to be a Turing test, keeping non-human users from accessing resources while letting humans (in this case, sighted, non-dyslexic humans) in.

Among the reasons that this is a stupid idea, as I explain in the paper, is that this is no long-term solution:

It is important to note that, like seemingly every security system that has preceded it, this system can be defeated by those who benefit most from doing so. For example, spammers can pay a programmer to aggregate these images and feed them one by one to a human operator, who could easily verify hundreds of them each hour. The value of visual verification systems is low, and their usefulness will diminish rapidly once it is commonly exploited.

Fast-forward: A colleague forwarded this article to a list I’m on. It appears that spammers are getting more creative than that: they’re actually getting people browsing porn to verify the image.

But at least one potential spammer managed to crack the CAPTCHA test. Someone designed a software robot that would fill out a registration form and, when confronted with a CAPTCHA test, would post it on a free porn site. Visitors to the porn site would be asked to complete the test before they could view more pornography, and the software robot would use their answer to complete the e-mail registration.

This is one of the most fascinating hacks I’ve seen. Imagine: you may have to thank the people browsing Web porn for making user verification a little more accessible.

That is, unless somehow they make it worse.