Hacking and defeating Google's reCAPTCHA with a 99% accuracy

One exciting thing about this: the entire model of reCaptcha (at least the text ones; I assume the audio ones are similar) is to make people do useful work when solving captchas by having them complete tasks that they consider too hard for computers to do well (in the text reCaptcha case, OCR). If someone writes software that can defeat the captcha, it does mean the security model is broken, but it also means the state of OCR technology (or audio recognition or whatever) has been advanced, and the digitization of books that had previously required human intervention can now be accomplished by automated means. In other words, spammers are incidentally creating the tools to expand the scope of digital human knowledge. Win-win, really.

After so much work, gotta love the footnote here: "Note: In the hours before our presentation/release, Google pushed a new version of reCAPTCHA which fully nerfs our attack."

This may be very interesting to crack, but who is responsible for Google making their CAPTCHA almost impossible for human to decipher now? I seriously have to click 5 times before even seeing anything resembling letters I can parse

Google's captcha system is horrid. I've mentioned this to people on the accessibility team but to no avail. They used to have a wheel chair icon next to the bloody scrambled text. I taught a computer class to seniors and it was painful watching them deal with the account sign up process (also, I thought it was insulting asking a mobile senior to click on the wheel chair icon ... to the designer ... FU!). Clicking on the wheel chair would give audio that barely made any sense to me. The whole process was stupid.<p>Like many others, I can barely get through their captcha service. I'm actually happy people circumvented it. Maybe someone will think it through this time around.

Here's the Ars Technica article which does much better job explaining the system:<p><a href="http://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/" rel="nofollow">http://arstechnica.com/security/2012/05/google-recaptcha-bro...</a>

I actually tried hacking reCaptha via audio and the Google Speech to text API a few days ago. It didn't work unfortunately, it really frustrates me at times when I have to refresh reCaptcha 10 times to actually be able to read the damn thing!!

In systems that are less secured than Google, the audio catchpa seems trivial to break...I think I've seen one on court sites that read a combination of numbers from 1 to 9 with some variance in the vocal speed. I'm not an audio engineer but that seems fairly trivial to crack (though maybe their visual catchpa would be easier...I dunno, not an expert in OCR either).<p>It's a good lesson in a form of social engineering. Sites have to provide this alternative access for the visually impaired...yet I bet the resources/creativity put behind it is not at the same level as the kind put into the catchpa used by 99% of the userbase. Furthermore, the most important client -- your boss -- is likely to not be blind him/herself, which eliminates that extra critical layer of oversight.

&#62; Note: In the hours before our presentation/release, Google pushed a new version of reCAPTCHA which fully nerfs our attack.<p>I take it that "fully nerfs" means this defeat of recaptcha is no longer useful?

Pretty sure I don't have 99% accuracy at solving reCAPTCHAs. Perhaps it's become a CAPITCHA, Completely Automated Public Inverse Turing test to tell Computers and Humans Apart...

What are we going to do once all CAPTCHAS are completely broken?

Their testing and high success rates on the public Google reCaptcha test probably tipped off a Google employee internally.

captchas are very annoying. it is surprising that they have lasted this long. what would be the best alternatives?

Now here is some serious hacker's news! Was getting nagged by 'what NewEgg can/can't do' posts off late.

A company that relies on a bot that accesses others' resources to make money and at the same time relies on reCAPTCHA to frustrate other bots from accessing it own resources.<p>It may be easy to do today, but, going forward, how do we determine which bots are "good" and which ones are "bad"?<p>Clearly, simply being a "bot" does not imply "bad" intent. If it did then we should all be blocking search engine bots. Yet this is what reCAPTCHA does: it blocks not based on intent, but based on the characteristic of being a "bot".