Google Fixes reCAPTCHA Before Leak

Thursday, May 31, 2012 @ 01:05 PM gHale

Hackers developed a script able to crack Google’s reCAPTCHA system, which differentiates between man and machine, with a success rate of better than 99 percent.

Right before the hackers showed off their research at the LayerOne security conference in Los Angeles, however, Google made improvements to its CAPTCHA system.

Tool Can Beat CAPTCHA
Spammers: It Just Keeps Working
Rogue AV Lets Victims do Dirty Work
Fake Google Antivirus Circulates

Of the various CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems, Google’s reCAPTCHA is considered to be one of the most reliable for differentiating man from machine. By requiring users to enter visually distorted alphanumeric sequences, web service providers can, for example, ensure their registration forms are not flooded by spam bots. Rather than trying to analyze these distorted characters, the script, code-named “Stiltwalker,” analyzed the audio version of the CAPTCHAs, which Google provides for individuals who are visually impaired.

Stiltwalker makes use of various techniques, including machine learning, but it also exploits the fact the computer voice has a very limited vocabulary. While text CAPTCHAs are highly complex, relying on a large pool of words in a variety of fonts, Google’s audio CAPTCHAs use just 58 different English words.

Slightly frustrated, Defcon Group 949 presented their research results just as Google had fixed the problem

To make automated analysis more difficult, Google adds a background murmur which computers usually have a hard time filtering out. The hackers discovered the background consisted of a limited number of recordings of radio programs.

Leave a Reply

You must be logged in to post a comment.