Bots Can Now Fool Human-Verifying CAPTCHAs

Bots Can Now Fool Human-Verifying CAPTCHAs

By Gary Cutlack on 07 Apr 2016 at 3:30PM

Image and text reCATPCHA systems designed to check if you’re a person trying to remember your password or a rogue AI trying to empty a bank account have been breached, with a team demonstrating an automated system that took an average of around 20 seconds to break into 70 per cent of the CAPTCHAs it was presented with. That’s better than most humans.

The people responsible have put together a paper on how they did it [PDF], if you’ve finished all the Harry Potters and are after something a bit weightier. In layman’s terms, what they/it did was to create a “cost-effective alternative” to employing people to crack codes, by using a virtual host to generate acceptable cookies — creating 63,000 of these from a single IP address in a day.

The team said some lessons have already been implemented, saying: “Following our disclosure, reCaptcha altered the safeguards and the risk analysis process to mitigate our large-scale token harvesting attacks. They also removed the solution flexibility and sample image from the image captcha for reducing the attack’s accuracy. We have also informed Facebook, but have not been notified of any changes.”

Leave a Reply