Yahoo! Briefcase and CAPTCHA

Yahoo! has announced that it will discontinue Y! Briefcase service. Well it was about time as really never knew anyone who actually used this service.

What Y! Briefcase did contribute to was a series of innovative abuse-prevention measures. When the service was launched, storage of any kind was very expensive and Yahoo Briefcase offered 30MB of free storage online. (Remember these were the days when your email capacity was few MB’s). It was frustrating when you had more than 30MB to store online and one had to buy a premium user accounts to store more.

Some intelligent hackers decided to write a small application, which would go to Yahoo Briefcase, create few thousand accounts and then take large amounts of data, split them into chunks of 30MB, and spread them across these accounts. So you had free, almost unlimited storage online and this application was using Yahoo Briefcase in the background. These applications were suddenly using up more than 60% of the system resources alloted for Y! Briefcase. How would one stop this ?

I was privileged to be part of the team that had to solve this problem. Udi Manber who was the Chief scientist at Yahoo! at that time decided to step in and help with these problems. We had just heard about a small research project named ‘CAPTCHA‘ which was being tested in Carnegie Mellon University. We looked at it, played with it and finally decided to roll it out to remove automated creation of accounts. We had few hiccups, and over time learnt to build a bulletproof CAPTCHA product. This as far as I know was the first large scale deployment of CAPTCHA which of course today is used in almost all web applications. Of course some people got around the CAPTCHA problem by using real human.

A lot of other anti-abuse and rate-limiting measures were first introduced thanks to Yahoo! Briefcase which are used across Yahoo as well as across many web applications today. This was also the only project which I ever had to write entirely in C++ (I’m still a big fanboy of procedural programming languages). Though the service is dead, it did help fuel a lot of webapp security tools which everyone uses today.


  1. sriniram · February 5, 2009 Reply

    Hey, thanks that was a nice backstory.

  2. Anonymous · February 5, 2009 Reply

    My claim to fame

    Udi is one of the smartest humans to ever exist. Comparing his intelligence with mine produces a divide-by-zero error. So, my claim to fame is that once while talking to him about how he was implementing his CAPTCHA back in those early days, something came up to which I said “why on earth are you doing it that way, why don’t you just XXX” to which he replied “you can do XXX????”. So I explained it to him, and he was tickled pink.

    I was tickled pink to explain anything, at all, to someone of that caliber. I am not worthy.

    Jeffrey Friedl Kyoto,Japan

  3. oldpondfrog · February 6, 2009 Reply

    Wow! That’s awesome that you were part of an industry first 🙂

    I read a cool countermeasure was used by hackers for CAPTCHA:
    Direct the challenge to other users who would then piecemeal get to view parts of a pornographic image as a reward for cracking the puzzle!
    That’s really clever…human bots…vulnerability is lust…no patch available 😉

  4. admin · February 6, 2009 Reply

    Re: My claim to fame

    Heh. That was one nice thing about Udi. He would listen to anyone.. and since I was just out of college, I was really scared just to talk to him, but I’ve had endless hours of discussions with him and most of the time he would explain why he was doing something they way he thought was right.

    Him leaving was one of the biggest losses Y! ever had.

  5. admin · February 6, 2009 Reply

    I swear. That was one of the first ways people broke captcha. We tried to patch that by looking at referrer logs. Thats worked for a while, but its not too tough to set a referrer log in your bot.

  6. mmk · February 7, 2009 Reply


    Come to think of it, that app used Briefcase for Storage as a service. S3-ish 😉

    Cloud computing, except for movies 😉 Ze Germans. I tell you.

  7. Anonymous · February 10, 2009 Reply


    Hi Kalyan, i follow your journal off and on and really admire the talent you have but i alwyas think why smart people like you cant start a real IT company in India something like a google or microsoft or even smaller but which is a real IT company ? I am really sick of politicos running the likes if Infy and TCS and making millions out of so many young indians and killing their talent totally .
    Its high time people like you develop our own Sergey Brin and Larry Page and start showing the world the real thing :-)) ….what do you say ?

  8. Anonymous · February 14, 2009 Reply

    “Well it was about time as really never knew anyone who actually used this service.”

    I did – to store my ex’s emails. Well, good riddance..

  9. manish_chaks · March 2, 2009 Reply


    webapps written using C++. I’d assume most of the yahoo stuff is with JSP/PHP

    Just had a look at your journal… makes for awesome reading.. from this article the brilliant photos that you posted.

    While I have never used any of your pics as a wallpaper (If I ever want to do, i’ll ask 🙂 ) i have shown your pics to friends and family.. essentially gave them the link to the home page ; Awesome pics and awesome blog dude 🙂

    Also wanted to share with you the first pic i took via a digicam.. a Kodak C330 ..
    Nowhere near as good as your pics,but wanted to show it to you.
    ( I was 19 when I had this )

  10. admin · March 3, 2009 Reply

    Re: interesting..

    NIce photograph. If you know how to play with levels.. you can really enhance the photograph in post.

  11. Anonymous · March 24, 2009 Reply

    Great history

    Thanks for that one, it’s one of the things that most people don’t know about Yahoo Briefcase. To be honest, ordinary users like this blogger at have forgotten they have even created an account and have some files in Briefcase. I guess it’s really one loss that’s not really felt that much 🙂

Leave a Reply