Last modified: 2013-11-24 20:04:23 UTC

Wikimedia Bugzilla is closed!

Wikimedia has migrated from Bugzilla to Phabricator. Bug reports should be created and updated in Wikimedia Phabricator instead. Please create an account in Phabricator and add your Bugzilla email address to it.
Wikimedia Bugzilla is read-only. If you try to edit or create any bug report in Bugzilla you will be shown an intentional error message.
In order to access the Phabricator task corresponding to a Bugzilla report, just remove "static-" from its URL.
You could still run searches in Bugzilla or access your list of votes but bug reports will obviously not be up-to-date in Bugzilla.
Bug 13286 - Small CAPTCHA challenge set
Small CAPTCHA challenge set
Status: NEW
Product: Wikimedia
Classification: Unclassified
General/Unknown (Other open bugs)
All All
: Low enhancement with 1 vote (vote)
: ---
Assigned To: Nobody - You can work on this!
Depends on:
  Show dependency treegraph
Reported: 2008-03-07 18:45 UTC by Mike.lifeguard
Modified: 2013-11-24 20:04 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---


Description Mike.lifeguard 2008-03-07 18:45:23 UTC
This was only discovered by creating hundreds of accounts (one for each wiki), and is therefore perhaps not a real security concern.
There are sometimes repeated CAPTCHAs or words which shouldn't appear. Once a CAPTCHA is used, it should likely be binned for all wikis. On several occasions I've had the same CAPTCHA more than once.
The only example I can remember is alsopoet, which has been used two times, but there are others (I mentioned this previous to Brion in IRC).
Comment 1 Brion Vibber 2008-03-07 18:46:54 UTC
Yeah, the current scheme is not very super and will be biased to some items depending on the existing random distribution. A nice queue with proper expiration and refreshing would be better.
Comment 2 Tim Starling 2008-03-12 06:14:33 UTC
There are 10,000 captchas, so coincidences are likely after ~sqrt(10000) = 100 attempts. That's not a break in itself, the break comes if the attacker is able to manually solve say 100 captchas, and then do a brute force attack with a success rate of 1%. But an OCR method may well give a better hit rate, so it might not be worth all that human effort to build the dictionary. A manually-constructed dictionary can easily be invalidated by regenerating the captchas, but an OCR method would require a change to the algorithm. 
Comment 3 Tim Starling 2008-03-12 06:23:09 UTC
Changed title, the problem is the challenge set size, not the randomness. It's perfectly random.
Comment 4 Nemo 2013-09-17 09:49:49 UTC
Not a MediaWiki, but a Wikimedia issue in FancyCaptcha images generation, and possibly a superseded one if Aaron produced the last set with a bigger dictionary. Aaron?
Comment 5 Andre Klapper 2013-11-22 15:29:18 UTC
Aaron: Could you answer comment 4 please?
Comment 6 Platonides 2013-11-24 20:04:23 UTC
There is an option in confirmedit ($wgCaptchaDeleteOnSolve) to delete the captchas after they are used. See bug 24730.

Note You need to log in before you can comment on or make changes to this bug.