Before the now-infamous Parler social network’s disappearance, we assessed their “roll-your-own” CAPTCHA.

Parler is was a social network for mostly American political conservatives who got kicked off Twitter, Facebook, etc. You get the idea.

Like Gab but not as prepared for a good ol’ de-platforming by the Big Tech cartels. Because within the last week —

  • Google and Apple purged its mobile apps from their marketplaces.
  • AWS is kicking kicked them off their infrastructure.
  • Other notable hosts like Digital Ocean have preemptively stated Parler is not welcome there.
    • Even though supposedly they’re paying like $300K a month to AWS with that sweet sweet Mercer Money 🤑.

Anyway — there’s lots of discussion in the tech world about Parler right now. They might’ve been key to organizing whatever it was that happened January 6 in the American capitol.

2021 U.S. Capitol man with horned hat Curse you, Parler!

I’m just a hacker fiending for reputation within the infosec world. Like a hot dog stand amidst civil unrest, I saw opportunity here, with Parler.

2021 U.S. Capitol hot dog opportunist

Something to assess before it dies and people forget about it.

Update: Parler went offline 2021-01-10 while I was still doing this post, oops.

The first time I anonymized myself to pay the site a visit, a blog topic revealed itself. A seemingly homemade CAPTCHA appeared to “protect” the platform.

Parler CAPTCHA example image

On visual alone, I knew this could be defeated via F-Secure Labs’ CAPTCHA22 because it’s just text.

CAPTCHA22 is a toolset for building, and training, CAPTCHA cracking models using neural networks. These models can then be used to crack CAPTCHAs with a high degree of accuracy. When used in conjunction with other scripts, CAPTCHA22 gives rise to attack automation; subverting the very control that aims to stop it.

Simply a matter of grabbing 200 samples then letting wrapped-TensorFlow do its thing. Sample collection might be helped by d0nk’s unofficial API which can retrieve CAPTCHAs.

Could you subvert this anti-automation control another way? Perhaps, but it would require active pen testing against something I didn’t get permission to test.

And again this is a legitimate — in the legal sense — organization with money to spend pursuing legal action.

Trying out CAPTCHA22 is possible to do passively. It needs 200 samples to work off of. We then grab maybe another 30 to see how the trained model performs.

After training, I found the model to be XX.XX% accurate versus those CAPTCHA samples. Good enough for an attack.

Update: Again it died 2020-01-10 while this post was in progress, sorry!

What’s the moral of the story?

You should probably not roll your own CAPTCHA like this. At least not wavy text.

My personal preference is hCaptcha for in-client bot detection (see?). But I also have worked with Google reCAPTCHA v3, Google reCAPTCHA Enterprise, and Akamai Bot Management SDK before.

Any of these would be preferable to rolling your own thing. hCaptcha can actually pay you for usage in some cases.

Are any of these a “silver bullet” to malicious automation? No.

They can all be detected easily and labor-farmed out if an attacker is that industrious. But doing so is expensive compared to CAPTCHA22.

Any of these companies could also choose to “de-platform” you, perhaps. Maybe that’s why Parler rolled their own solution here. Who knows.

Check out hCaptcha if you’re building something that is not controversial…!

2021 U.S. Capitol flag man

Randy Gingeleski - GitHub - - LinkedIn