Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Hackers Listened Their Way Around Google's Recaptcha

Posted by timothy on from the listen-to-what-the-flower-children-scream dept.

An anonymous reader writes with this story at Ars Technica: "Three self-taught hackers from the DC949 hacker collective managed to use a combination of techniques to beat ReCaptcha with 99.1% accuracy (better than most humans!)" In short, the hackers skipped the visual part of the Recaptcha system entirely, focusing on the audio alternative, which gave them a few convenient angles of attack. Google responded with changes to the system, but that doesn't minimize their accomplishment.

25 of 101 comments (clear)

  1. Weakest Link by whitesea · · Score: 2

    They wisely chose the weakest link to attack.

    1. Re:Weakest Link by amicusNYCL · · Score: 5, Funny

      If they can solve captchas at 99% accuracy, I hope they develop a browser toolbar or plugin I can use.

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    2. Re:Weakest Link by mattack2 · · Score: 2

      Audio ReCaptcha is the Weakest Link! Goodbye!

  2. Singularity by MrEricSir · · Score: 3, Insightful

    Since they beat the Turing Test, this means we've reached the AI singularity... right?

    --
    There's no -1 for "I don't get it."
    1. Re:Singularity by GodfatherofSoul · · Score: 2

      "More human than human." It just means the Tyrell Corporation was working on it.

      --
      I swear to God...I swear to God! That is NOT how you treat your human!
    2. Re:Singularity by Quillem · · Score: 2
      Quoting the coda of the story:

      While the changes stymied the Stiltwalker attack, Adam said his own experience using the new audio tests leaves him unconvinced that they are a true improvement over the old system.

      "I could only get about one of three right," he said. "Their Turing test isn't all that effective if it thinks I'm a robot."

      :)

      --
      Quillem : An India-centric mishmash of things.
    3. Re:Singularity by mcgrew · · Score: 3, Interesting

      You bring to mind something I read long ago, too long ago for a citation. A researcher was running a turing test with one subject seeing if he could decide which terminal was a computer and which had a computer on the other end.

      The tester just sat there without inputting anything. Pretty soon a message came up on one screen: "Is there anybody there?"

      "That's the human," the tester said

      --
      Free Martian Whores!
  3. Snake meet tail by V-similitude · · Score: 5, Insightful

    I realized there's an interesting aspect to this, in that gVoice transcription is actively trying to do basically the same thing these guys did* (albeit in a far more general way). Wonder how gVoice would do transcribing google's own recaptcha audio. Someone go try that. Either way though, it's an interesting dilemma if they ever got automatic transcription good enough to defeat these audio recaptchas.

    * Well, after RTFA, I realize that a fair bit of what they did was actually more related to hashing (and the pseudo-random generator) vs actually trying to parse the audio, but still.

  4. Another solution.. by Ziekheid · · Score: 5, Informative

    Most of the spammers who circumvent captcha's use real people to fill in their captcha's for them. How they do it:
    1) A pay-per-filled-in-captcha site (where members solve captcha's, not really getting paid eventhough they think they will be) OR a high traffic site (false/scam sites, hacked sites, etc)
    2) Mirror the image from the site you want to spam to your own site
    3) A person visits your own site with the mirrored image and solves the captcha
    4) Mirror the answer back to the site you want to spam
    5) ???
    6) Profit! (literally)

    1. Re:Another solution.. by Anonymous Coward · · Score: 5, Insightful

      Reminds me of the story of the guy who would play 8 games of chess simulataneously in an octagon and absolutely guarantee he'd win 50% of the games at least.

      He then proceeded to play the moves of the players opposite each other against each other.

  5. "Better than most humans" by Anonymous Coward · · Score: 5, Funny

    That's it! Make all users do a SERIES of incredibly hard recaptchas. Those who get too many correct are machines! Brilliant!

    1. Re:"Better than most humans" by Anonymous Coward · · Score: 5, Interesting

      ...especially if they solve them in less time than the duration of the audio. (Only half kidding: They solved millions of eight second long captchas in a second and a half each and Recaptcha didn't even blink.)

  6. Gone too far... by whydavid · · Score: 4, Interesting

    I had one of these the other day that was beyond absurd. The visual was a complete scrambled mess, with nearly every letter seemingly equally likely too be 2 or 3 different letters. The audio was even worse: loud gibberish in the foreground with what sounded like someone whispering the actual text in the background. It wasn't until 2 reloads later that I was lucky enough to get a recaptcha that was only slightly ambiguous, and I was able to get it on the 2nd guess. I was far more annoyed at this than I ever have been at a spambot. I'm not sure this is a step in the right direction. Time to move away from garbled text.

  7. yawn by jkerman · · Score: 2

    It EXACTLY minimizes their accomplishment. Everyone knew the day that was easily exploited, google would get a little less accessable to the disabled. Everyone knew it was the weakest attack point. (jerks!)

  8. I'd like to find out how to break it too by Zorque · · Score: 2

    Google's captchas are the worst I've ever seen. They're almost always unreadable and need to be refreshed all the time. I like Recaptcha (which isn't what Google uses on their sites despite owning it), they're generally pretty clear and in addition provide a free service to anyone that wants to use it. I have no clue why Google sticks with their awful in-house captchas for Gmail, Youtube, etc.

  9. I bet Siri could solve it. by niftymitch · · Score: 4, Insightful

    I bet Siri could solve it.
    All the voice tools out there could be harnessed to this sad end.

    --
    Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
  10. Re:How far behind were the criminals/spammers? by icebike · · Score: 4, Interesting

    Quote summary:

    Google responded with changes to the system, but that doesn't minimize their accomplishment.

    On the contrary, yet is does minimize their accomplishment. It makes it all for nothing, a technical exercise, with no near term or long term payback.
    Recaptcha is a huge con, no more secure then the original captcha. The second (or first) portion being there only to serve some other purpose, and any answer will do.

    Adding the audio option (probably forced by ADA) did nothing for security. At best this demonstrates that adding multiple different keys to the same lock makes things worse, not better.

    Captcha's original intent was to slow down bots, by making the user prove they were human. They are seldom used to protect anything
    of value, simply to keep the nuisance bots to a dull roar.

    Now it appears that machines can beat captcha and recaptcha very easily. So WHY do we still see these schemes in use?

    --
    Sig Battery depleted. Reverting to safe mode.
  11. Re:How far behind were the criminals/spammers? by Baloroth · · Score: 5, Insightful

    Because even a very "high" accuracy machine system is still going to add a significant barrier to automatically cracking the results, especially if Google continues altering reCAPTCHA like they do. While you won't eliminate 100% of attackers, you can eliminate the vast majority, and slow down the attackers that do get through. The alternative is to use nothing, and believe me: you absolutely do not want that. The Internet would be 99.99999999% spam almost overnight if that happened.

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
  12. Re:How far behind were the criminals/spammers? by crashumbc · · Score: 2

    intelligence on /. bravo dear sir...

  13. Re:How far behind were the criminals/spammers? by Main+Gauche · · Score: 4, Insightful

    Now it appears that machines can beat captcha and recaptcha very easily. So WHY do we still see these schemes in use?

    Could you give me your address, and let me know when you won't be home? (I presume you no longer lock your house.)

  14. Re:How far behind were the criminals/spammers? by Animats · · Score: 4, Informative

    Re:How far behind were the criminals/spammers?

    At about 75%, from what I read on the black hat forums.

    There's a whole social spam ecosystem out there now, with tools and services for spamming Facebook, Twitter, Instagram, Google+, Yelp, Tumblr, Youtube, random blogs, and for retro types, Myspace. It's not just a few people doing this. It's an industry with a supply chain. Read my "Social is bad for search, and search is bad for social" paper for an overview. If it feeds into Google search rankings, it's being spammed.

  15. Re:How far behind were the criminals/spammers? by bill_mcgonigle · · Score: 4, Interesting

    On the contrary, yet is does minimize their accomplishment. It makes it all for nothing, a technical exercise, with no near term or long term payback. Recaptcha is a huge con, no more secure then the original captcha. The second (or first) portion being there only to serve some other purpose, and any answer will do.

    It's funny that you'd complain about a waste of effort and then bemoan Recaptcha, which was developed to prevent all those man-years of solving CAPTCHA's from going to waste.

    BTW, the founder of Recaptcha has expressed that he will be happy when it can be defeated trivially because at that point the other job it's trying to do can be completely automated, which is still a win.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  16. they managed to correctly answer audio captcha? by ffflala · · Score: 3, Funny

    Now *that's* impressive. The closest approximation I've heard to the audio captchas I've encountered would be the few recordings I've heard that John Lennon used to give out as gifts: he'd record multiple radios playing different stations.

    I did once get an audio captcha that was almost solvable -- AFAICT, it was a conversation between C'thullu in his native tongue and Tom Waits responding in Aramaic, recorded in a crowded airport terminal that had lots of loudspeaker announcements.

  17. Re:I gave up on Recaptcha and now use AreYouAHuman by foniksonik · · Score: 2

    Ah but click on the "accessible" option and lookie lookie, an mp3 audio file with gibberish and a background voice. "enter the words you hear".

    So this exploit would at least prevent using that option.

    The game concept is pretty good though, they just need to make an accessible version.

    --
    A fool throws a stone into a well and a thousand sages can not remove it.
  18. Re:First! by bkaul01 · · Score: 2

    When idiots spam every thread with worthless "First!" posts, how could any one of these posts not be redundant?