Windows Live Hotmail “CAPTCHA” security compromised; bot attacks in 6 seconds or less, according to security blog

Via Ars Technica

The Websense Security Labs blog is reporting that a new bot threat is capable of defeating the Windows Live Hotmail CAPTCHA security measure, and can break that code in less than 6 seconds, create new accounts, and use them to send spam.


The blog has a detailed analysis of exactly how the bot is working, some of it pretty technical, but it does appear that the CAPTCHA process has been compromised.  Earlier this year, reports of the same thing happening to Hotmail accounts, and then to  GMail accounts surfaced, and it appears that the methods for attacking CAPTCHA are rapidly becoming more sophisticated and more widespread, and could result in a significant increase in spam, unless new measures are implemented.  This all becomes something of a cat and mouse game, as security measures are devised, and then in turn, defeated.


Trying to defeat spammers and malicious bot networks is an ongoing battle that hasn’t been easy to win.  Microsoft Research has developed a system they are calling ASIRRA (Animal Species Image Recognition for Restricting Access), which requires the recognition of a picture of a dog or a cat, something fairly easy for a human but quite difficult for a computer program.  ASIRRA, in partnership with (who supply the pictures) is available now, but whether or not ASIRRA, or any other security system, will appear as a replacement for CAPTCHA in Windows Live Hotmail remains to be seen.