Google’s reCAPTCHA defeated by security researchers

April 19, 2016

Let’s start with where the word ‘captcha’ came from. It turns out that captcha is an acronym for Completely Automated Public Turing test to tell Computers and Humans Apart. The idea behind the captcha technology (and behind the original Turing test as well) is simple: it’s a test humans are able to pass, but online bots cannot. Captcha usually comes in the form of a distorted text image that must be re-typed in order to verify you’re not a computer.

Google's reCAPTCHA defeated by security researchers

Captcha technology is important because it provides simple and practical security to a variety of different things, such as protecting website registration, preventing comment spam on blogs, making sure only humans vote in online polls and more. Without the captcha technology, spammers could potentially abuse these situations by setting up numerous accounts, leaving a ridiculous number of comments, or voting an unlimited number of times in the same poll.

The first versions of captcha were relatively easy for computers to bypass. It resulted in an arms race between hackers and captcha developers. After the former brought a new version of captcha down, the latter would come with a newer, stronger version.

At some point Google took the stage and released it’s reCAPTCHA, which is now unofficially considered a captcha standard. It uses not only distorted text but also images and is believed to be one of the strongest captcha services. Google’s reCAPTCHA technology is used by Google itself, Facebook and many other websites as a means of protecting against spam and abuse. In fact, reCAPTCHA is the most popular captcha provider in the world.

Unfortunately, it seems the technology might not be as foolproof as once thought.

Security researchers at Columbia University have discovered flaws in Google’s reCAPTCHA technology that open the door for hackers to influence the risk analysis, bypass restrictions, and deploy large-scale attacks.

The researchers stated they were able to design a low-cost attack that successfully solved more than 70% of the image reCAPTCHA challenges, and each challenge required an average of only 19 seconds to solve. They also applied the system to the Facebook image captcha and found an accuracy level of 83.5%. The higher accuracy on Facebook is believed to be a result of Facebook’s images being of a higher resolution.

The system used techniques that allowed it to bypass cookies and tokens, and used machine learning as a way of correctly guessing the images. The funny part is that this reCAPTCHA breaking system is powered by Google’s own reverse image search. But it also can work offline.

“Nonetheless, our completely offline captcha-breaking system is comparable to a professional solving service in both accuracy and attack duration, with the added benefit of not incurring any cost on the attacker,” the researchers stated, emphasizing the simplicity and cost-effectiveness of this particular attack.

Before the findings were made public, the researchers alerted Google and Facebook to inform them of these potential flaws. They stated that Google responded by attempting to improve the security of reCAPTCHA, but Facebook does not appear to have taken any steps towards improvement.

Researchers believe that hackers could reasonably charge $2 for 1000 solved captchas, and as a result could make over $100 a day. They could stand to make even more if they launch multiple attacks at once or utilize additional techniques.

The research shows that there is a still a lot to be done in the world of cybersecurity, but also gives the chance for many companies, such as Google, to move forward and more actively look at their current security measures. Google has already shown interest in strengthening its security, and hopefully other websites aren’t far behind.