Slashdot Mirror

← Back to Stories (view on slashdot.org)

Gmail CAPTCHA Cracked

Posted by kdawson on from the like-dominos dept.

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

13 of 317 comments (clear)

  1. To be fair.. by Quixote · · Score: 4, Informative
    the CAPTCHA hasn't been "cracked". These people are just using humans to enter the CAPTCHA text; which is the whole point of the CAPTCHA anyways!

    Remember: CAPTCHA is an acronym (or backronym, depending on who you believe) for "Completely Automated Public Turing test to tell Computers and Humans Apart".

    The CAPTCHA would be considered cracked if there was a computer algorithm somewhere decoding it autonomously.

  2. Re:i work with OCR/ICR technology by martin-boundary · · Score: 5, Informative
    Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

  3. Re:CAPTCHA is for weak minds by PayPaI · · Score: 5, Informative

    http://recaptcha.net/

  4. http://xkcd.com/233/ by arbitraryaardvark · · Score: 3, Informative

    http://xkcd.com/233/

  5. Re:One step closer... by i+kan+reed · · Score: 4, Informative

    Turing machine? Long magnetic tape with simple instruction set and finite alphabet? Don't we essentially have those for all intents and purposes? Turing did more theoretical work with computers than just AI.

  6. Re:CAPTCHA is for weak minds by Anonymous Coward · · Score: 4, Informative

    Written by the same fella who came up with the original CAPTCHA, Luis von Ahn.

  7. Re:CAPTCHA is for weak minds by Cyberax · · Score: 4, Informative

    One word that is shown to you is always known. The second one is unknown. In your case, you entered the known word correctly.

    As anti-bot measure, reCAPTCHA starts showing pictures with BOTH known words if you (anyone with your IP) incorrectly guess two words in one hour, AFAIR.

  8. Re:use those hit-the-monkey flash-based ads instea by Anonymous Coward · · Score: 1, Informative

    Same reason you don't just supply a checkbox labelled "I'm not a bot". The flash has to pass it's "okay" result to the server somehow, which is either a javascript call on the page containing the flash, or via a GET/POST of its own. Point being that flash (as far as I'm aware) has no way of contacting the server that is any different than what the browser itself can do.

    So the user's punched the monkey 3 times. As the developer, how do you let the server know this fact? By setting a hidden form element of "punched_monkey" to 1? By POSTing to /monkey-captcha.zzz with form_id=12345&punched_monkey=1? Not exactly very difficult to bypass via bot automation. ;)

  9. Re:i work with OCR/ICR technology by martin-boundary · · Score: 5, Informative

    TFA says this is a service SELLING captcha breaking
    I'm not sure you're right. Why would the page include instructions such as

    In no case do not enter random characters!

    We pay only correctly recognized pictures!

    That sounds more like instructions for people doing the CAPTCHA breaking, no? Unfortunately, I can only go by the English translation, somebody who can read Russian would be useful.

    I'd expect it to do much better than the 20% they cite.
    I can think of various reasons. For example, there might not be somebody at the other end doing the breaking at the exact moment when the bot tries to connect. In that case you'd get ~100% for only part of the day and 0% the rest of the time. 24 * 20% is about 5 hours each day. A part time job?

    It's also true that _average_ people only break CAPTCHAs successfully about 80% of the time. Here's a relevant experiment

    Then there's possible issues with firewalls etc. Some bots are hosted on a zombified PC which could have any kind of restrictions, and it might have trouble dialing one of the the servers, or maybe the server can't respond properly due to inbound filtering.

  10. Re:i work with OCR/ICR technology by Anonymous Coward · · Score: 2, Informative

    Your point is right, but the article clearly states the captchas are being proxied to humans, the English translation of the Russian screenshot is correct.
    Also, don't expect the people who get paid very little to be accurate in what they type.

  11. Re:One step closer... by timeOday · · Score: 3, Informative

    Don't we essentially have those for all intents and purposes?
    Since we're being pedantic, no. Not until I get my infinite memory.
  12. Re:i work with OCR/ICR technology by EdIII · · Score: 5, Informative

    Don't listen to the trolls, you are not alone at all.

    It really depends on the captcha being used, but the real problem is that a good percentage of the time on the hard captcha's you just cannot make a definitive choice on a single letter.

    That means you got a 50/50 shot of being right on it. If it was 2 letters, which is more rare, now you got a 1/4 chance of being right.

    I have seen some captcha's that are so ridiculous in their attempts at obfuscating the letters, that it is just next to impossible. Maybe that is the whole point too. A strong captcha may be one that a human fails at half the time.

  13. Re:i work with OCR/ICR technology by Compuser · · Score: 3, Informative

    The translation given on the page is quite precise. I was going to post a translation on Slashdot but then saw that they did a great job themselves.