Windows Live Hotmail “CAPTCHA” security compromised; bot attacks in 6 seconds or less, according to security blog

By Kip Kniskern | Posted April 16, 2008 3 comments

Via Ars Technica

The Websense Security Labs blog is reporting that a new bot threat is capable of defeating the Windows Live Hotmail CAPTCHA security measure, and can break that code in less than 6 seconds, create new accounts, and use them to send spam.


The blog has a detailed analysis of exactly how the bot is working, some of it pretty technical, but it does appear that the CAPTCHA process has been compromised.  Earlier this year, reports of the same thing happening to Hotmail accounts, and then to  GMail accounts surfaced, and it appears that the methods for attacking CAPTCHA are rapidly becoming more sophisticated and more widespread, and could result in a significant increase in spam, unless new measures are implemented.  This all becomes something of a cat and mouse game, as security measures are devised, and then in turn, defeated.


Trying to defeat spammers and malicious bot networks is an ongoing battle that hasn’t been easy to win.  Microsoft Research has developed a system they are calling ASIRRA (Animal Species Image Recognition for Restricting Access), which requires the recognition of a picture of a dog or a cat, something fairly easy for a human but quite difficult for a computer program.  ASIRRA, in partnership with (who supply the pictures) is available now, but whether or not ASIRRA, or any other security system, will appear as a replacement for CAPTCHA in Windows Live Hotmail remains to be seen.

Posted April 16th, 2008 at 12:12 pm
Category: News
Tags: ASIRRA, CAPTCHA, Hotmail, spam
  • tophtucker

    I actually find ASIRRA a lot easier than some modern CAPTCHAs, haha.

    This is getting ridiculous and a little scary. How long will we be able to stay ahead of the computers? What’ll CAPTCHAs look like in just 10 years?

    Anyway, I like this approach:


  • quikboy

    I like ASIRRA better too. Sometimes it’s hard to pick out the characters in CAPTCHA, and it annoys the heck out of me when I have to redo it again.

    I never noticed you had to use CAPTCHA to sign-in Live Hotmail. Do you?

  • SteveBallmer

    Win Hotmail Live Ultra is coming soon people!