Google’s reCAPTCHA busted by new attack
A security researcher has devised a successful attack on a Google-owned system for blocking malicious scripts on web-based email services and other types of sites.
The attack, described in a paper released Saturday, uses a combination of OCR, or optical character recognition, techniques and other methods to break reCAPTCHA, a widely used security measure acquired by Google in September. Short for Completely Automated Public Turing test to tell Computers and Humans Apart, the CAPTCHA is designed to block automated scripts from carrying out certain tasks by first requiring users to solve an optical puzzles that aren’t easily cracked by computers.
Jonathan Wilkins of iSEC Partners said the method had a total success rate of 17.5 percent against reCAPTCHA. The rate is significant because of the wide use of botnets by spammers and other miscreants. Even a modest-sized network of 10,000 infected machines with a success rate of 0.01 percent would yield 10 successes every second. That could translate into 864,000 new accounts every day, he said.
“Given this, the attacker doesn’t have to rebuild a complete set of solutions, just enough to get this minimal success rate,” Wilkins wrote. A Google spokesman said the data collected in the report was collected in early 2008 and didn’t reflect enhancements made to reCAPTCHA since then. “Therefore, this study does not reflect the effectiveness of reCAPTCHA’s current technology against machine solvers,” the spokesman wrote in an email. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers.”