Hotmail Exploit Silently Snooped & Microsoft Audio CAPTCHA Easily Defeated
More bad news for Microsoft in the form of security researchers proving two very different fails - audio CAPTCHAs defeated and Hotmail exploited to silently "steal" email.
The first fail is not leveled solely against Microsoft, but Stanford University researchers found a way to break popular audio CAPTCHA technology used by Microsoft's Live.com, Yahoo, Authorize.net, eBay, and Digg. In "The Failure of Noise-Based Non-Continuous Audio Captchas" [PDF], the researchers built a program called Decaptcha that can listen to and decipher audio CAPTCHAs. The study called most CAPTCHA methods "inherently insecure." By using Decaptcha, the "per-captcha precision of Decaptcha is 89% for Authorize, 41% for Digg, 82% for eBay, 48.9% for Microsoft, 45.45% for Yahoo and, 1.5% for Recaptcha. We improve our previous work's result on eBay from 75% up to 82%." They concluded that Decaptcha's accuracy for commercially available audio CAPTCHAs rivals crowd-sourced attacks. To exploit the vulnerability with Decaptcha's system would require no specialized knowledge or hardware. "Its simple two-phase design makes it fast and easy to train on a desktop computer."