New Google CAPTCHAs now cracked
Even the latest images in Google’s reCAPTCHA can be cracked with sufficient reliability to allow protective services to be exploited. Last week, Google complained that claims to this effect only related to an old CAPTCHA method from 2008 that is no longer used.
Now, Jonathan Wilkins, the author of the analysis report, has taken a closer look at the new captchas. The main difference is the lack of the horizontal separator line used in the old captchas. Users now find the words easier to read – but so do machines. "The new version of the puzzle is weaker", Wilkins told The H's associates at heise Security. In his tests, Wilkins managed to increase the success rate of conventional text recognition nearly tenfold over the previous version (from 5 out of 200 to 23 out of 100).
The Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is designed, for instance, to prevent email accounts from being automatically created so that spam can be sent out. The problem with this application scenario is that spammers do not need to be 100% successful. Merely succeeding one out of ten times when creating email accounts is more than sufficient. However, it's also possible to add additional background protection to the services, such as by limiting the number of requests from a single IP address.
- Google's reCAPTCHA dented, a report from The H.
- Strong CAPTCHA Guidelines v1.2, updated paper from Jonathan Wilkins.