When it comes to interacting with a website, they always seem to want to know if you’re a human. Sure, my cat has managed to get to a surprising number of sites on her own, but websites aren’t really worried about cats. Rather, they want to keep bots from getting in and mucking things up. That’s why most sites employ some sort of CAPTCHA system that most computers can’t crack easily. Unfortunately, some of the best ones have now been cracked.
The idea behind a CAPTCHA is to provide an image that has no meaning to a computer, but a human can easily read. This tends to involve numbers and/or letters that are somehow distorted. Since the computer only gets one shot per image, they tend to have a very low success rate. But now three security researchers have found a way to defeat both Facebook’s CAPTCHA, and Google’s reCAPTCHA with apparent ease.
Once the trio had devised their improved method of CAPTCHA cracking, they put it to work on both Google and Facebook’s different human-detectors. For Google, they tested 2,235 CAPTCHAs, and came out with a success rate of 70.78% with an average solving time of 19.2 seconds. Facebook’s system was even easier to crack, with a success rate of 83.5% over 200 tests.
The findings from the research team have been published in a paper titled ‘I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs‘. What’s interesting is that before publishing their paper, they did reach out to both Google and Facebook to let them know of their findings. Google took action to help strengthen their reCAPTCHA system to combat this new method of attack. Facebook, on the other hand, did not respond to them.
This is one of those interesting issues where you have a team of security researchers who have published a paper on how to defeat certain security measures. It will eventually lead to tighter security, but for now, those that want to bypass current CAPTCHA systems now have a fantastic guide to help them on their way.