Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Hackers Listened Their Way Around Google's Recaptcha

Posted by timothy on from the listen-to-what-the-flower-children-scream dept.

An anonymous reader writes with this story at Ars Technica: "Three self-taught hackers from the DC949 hacker collective managed to use a combination of techniques to beat ReCaptcha with 99.1% accuracy (better than most humans!)" In short, the hackers skipped the visual part of the Recaptcha system entirely, focusing on the audio alternative, which gave them a few convenient angles of attack. Google responded with changes to the system, but that doesn't minimize their accomplishment.

7 of 101 comments (clear)

  1. Snake meet tail by V-similitude · · Score: 5, Insightful

    I realized there's an interesting aspect to this, in that gVoice transcription is actively trying to do basically the same thing these guys did* (albeit in a far more general way). Wonder how gVoice would do transcribing google's own recaptcha audio. Someone go try that. Either way though, it's an interesting dilemma if they ever got automatic transcription good enough to defeat these audio recaptchas.

    * Well, after RTFA, I realize that a fair bit of what they did was actually more related to hashing (and the pseudo-random generator) vs actually trying to parse the audio, but still.

  2. Another solution.. by Ziekheid · · Score: 5, Informative

    Most of the spammers who circumvent captcha's use real people to fill in their captcha's for them. How they do it:
    1) A pay-per-filled-in-captcha site (where members solve captcha's, not really getting paid eventhough they think they will be) OR a high traffic site (false/scam sites, hacked sites, etc)
    2) Mirror the image from the site you want to spam to your own site
    3) A person visits your own site with the mirrored image and solves the captcha
    4) Mirror the answer back to the site you want to spam
    5) ???
    6) Profit! (literally)

    1. Re:Another solution.. by Anonymous Coward · · Score: 5, Insightful

      Reminds me of the story of the guy who would play 8 games of chess simulataneously in an octagon and absolutely guarantee he'd win 50% of the games at least.

      He then proceeded to play the moves of the players opposite each other against each other.

  3. "Better than most humans" by Anonymous Coward · · Score: 5, Funny

    That's it! Make all users do a SERIES of incredibly hard recaptchas. Those who get too many correct are machines! Brilliant!

    1. Re:"Better than most humans" by Anonymous Coward · · Score: 5, Interesting

      ...especially if they solve them in less time than the duration of the audio. (Only half kidding: They solved millions of eight second long captchas in a second and a half each and Recaptcha didn't even blink.)

  4. Re:Weakest Link by amicusNYCL · · Score: 5, Funny

    If they can solve captchas at 99% accuracy, I hope they develop a browser toolbar or plugin I can use.

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  5. Re:How far behind were the criminals/spammers? by Baloroth · · Score: 5, Insightful

    Because even a very "high" accuracy machine system is still going to add a significant barrier to automatically cracking the results, especially if Google continues altering reCAPTCHA like they do. While you won't eliminate 100% of attackers, you can eliminate the vast majority, and slow down the attackers that do get through. The alternative is to use nothing, and believe me: you absolutely do not want that. The Internet would be 99.99999999% spam almost overnight if that happened.

    --
    "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton