Forgot your password?
typodupeerror
Security Businesses Google The Internet

Gmail CAPTCHA Cracked 317

Posted by kdawson
from the like-dominos dept.
I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."
This discussion has been archived. No new comments can be posted.

Gmail CAPTCHA Cracked

Comments Filter:
  • by JeanBaptiste (537955) on Tuesday February 26, 2008 @11:24PM (#22568514)
    and I cannot help but wonder if this will increase our usually abysmal rate for reading handwriting. (and no, I don't design it myself so no ripping on me, just work with it)
    • Nah - you're not a pr0n spammer, so you'll never get it.

      Seriously, I bet the peeps at Tesseract, ABBYY and Kofax are right now trying to figure out what the spammer losers are doing. Meanwhile, Kurzweil is probably coming up with some new genius scheme for us to learn...

      • It's actually being cracked by a million monkeys clattering away at a million typewriters. Pretty hard to defeat that.
        • by MillionthMonkey (240664) on Wednesday February 27, 2008 @01:26AM (#22569618)
          Your ideas intrigue me and I wish to subscribe to your newsletter
        • by goombah99 (560566) on Wednesday February 27, 2008 @11:25AM (#22573790)
          Google and many other universities already have program in recruiting people to do things computers can't do well. One of those that google already uses is image tagging. Show images and ask people to write down words of what's in them. So they could simply do this with two or three images they recently obtained good label sets for. They could even throw in a fourth not-yet known labeled image and use the sign-up process to gather new image labels.

          There's all sorts of hard problems like this. Another single player game is to show an image with a lot of things in it. Then give a word describing one aspect of the image and ask them to click on the part of the image that conveys that meaning.

          The if you have many concurrent sign-ups there lots of two player games both symmetric and assymetric. a short chat session in the vein of the game "password" in which one person makes a series statements about an object ("it is liquid", it is white, it is tasty, you find it in the refrigerator of many homes", it comes from cows....) and the other person has to reply with "milk". Then both players are validated.

          The last is a very useful AI product by the way especially if the first player is forced to use a controlled grammar where he just fills in some of the nouns or verbs but does not construct the sentence forms. This gathers a set of true assertions about an object that allow computers to learn semantics and meaning.

    • by martin-boundary (547041) on Tuesday February 26, 2008 @11:40PM (#22568696)
      Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

      • Re: (Score:2, Interesting)

        It doesnt say that its humans reading them, just that a page rehosts the bmp images. Im confused as to where the bots work. Im suprised that phishers dont use thier victims to crack CAPTCHAs.
      • by 1u3hr (530656) on Wednesday February 27, 2008 @12:07AM (#22569000)
        Unfortunately, it's HumanPower(TM). About 3/4 of the way down TFA, they show a web page with instructions (in Russian) for the people who get paid to read the CAPTCHAs.

        I doubt it.

        TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

        • by Z80xxc! (1111479) on Wednesday February 27, 2008 @12:18AM (#22569064)

          TFA says this is a service SELLING captcha breaking. If it was human powered, I'd expect it to do much better than the 20% they cite.

          Ummmm... I'm not so sure about that. OK, google's captcha's are pretty easy for humans to read, but I've often had to try literally 6 different captcha's on some sites. Yes, really.

        • by martin-boundary (547041) on Wednesday February 27, 2008 @01:01AM (#22569388)

          TFA says this is a service SELLING captcha breaking
          I'm not sure you're right. Why would the page include instructions such as

          In no case do not enter random characters!

          We pay only correctly recognized pictures!

          That sounds more like instructions for people doing the CAPTCHA breaking, no? Unfortunately, I can only go by the English translation, somebody who can read Russian would be useful.

          I'd expect it to do much better than the 20% they cite.
          I can think of various reasons. For example, there might not be somebody at the other end doing the breaking at the exact moment when the bot tries to connect. In that case you'd get ~100% for only part of the day and 0% the rest of the time. 24 * 20% is about 5 hours each day. A part time job?

          It's also true that _average_ people only break CAPTCHAs successfully about 80% of the time. Here's a relevant experiment [jgc.org]

          Then there's possible issues with firewalls etc. Some bots are hosted on a zombified PC which could have any kind of restrictions, and it might have trouble dialing one of the the servers, or maybe the server can't respond properly due to inbound filtering.

  • by danomac (1032160) * on Tuesday February 26, 2008 @11:26PM (#22568540)
    I'm surprised they opened it up to the public. When they did, I pondered how long it would take before spammers would start doing this en masse.
  • by Anonymous Coward on Tuesday February 26, 2008 @11:26PM (#22568544)
    This is a tangent, but I'm curious: this site blurs out a lot of text, presumably for privacy. How secure is that? It seems like it would be fairly easy (given knowledge of the font, which you have from other parts of the screenshot) to figure out what the underlying text is. I wish people would just black out things they don't want you to know.
    • by kcbanner (929309) * on Tuesday February 26, 2008 @11:30PM (#22568594) Homepage Journal
      Its funny actually, in the SIFT algorithm (detects scale invariant keypoints in an image, used for panorama stitching, computer vision, etc), it uses a Gaussian blur as part of the detection process. It uses multiple levels to better find invariant keypoints. While havening the unblurred image certainly helps, its not necessary.
      • Re: (Score:2, Interesting)

        by arktemplar (1060050)
        Okay, this is fsked, I know guys who are working on a variant of this, they have a learning algorithm, they have a database of already known captcha's somthing like 400 images or so ? Now what they do is break up the existing captcha into small 2x2 grids and try and match it to whatever is already in the database, they are using it for other stuff(image reconstruction) but I think they can modify it for this as well.
  • Bots RTFM! (Score:5, Funny)

    by russotto (537200) on Tuesday February 26, 2008 @11:27PM (#22568556) Journal

    Curiously, the bots pretend to read the help information while breaking the CAPTCHA
    Ever consider that maybe the bots aren't pretending? (cue Frankenstein music)
  • by motek (179836) on Tuesday February 26, 2008 @11:28PM (#22568568) Homepage
    Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves. And this feeling, my friend, can't be bought cheaply.
    • Re: (Score:2, Funny)

      by Anonymous Coward
      Instead, Google should use something akin MENSA tests. This would deter the bots and make the customers feel really good about themselves.

      Good idea! Then all other email companies would hopefully follow suite dramatically then cutting down the forwarding of chain letters, viruses, stupid support calls, SPAM sales etc... ;-)
      • Re: (Score:3, Funny)

        by motek (179836)
        That is a very good point. They say that 90% of all e-mail is SPAM. Probably 90% of the rest shouldn't have been sent either. BTW: feel free o remove this message.
    • by davidwr (791652) on Tuesday February 26, 2008 @11:34PM (#22568620) Homepage Journal
      The bots pass the MENSA test.

      Cue overlords posts in 3...2...1...
      • Re: (Score:2, Funny)

        by neil.orourke (703459)
        I, for one, welcome our new MENSA bot overloards!
        • Coming to you this summer, from Soviet Russia, the new, the improved, the thinking-of-the-children MENSA bot overlords! With an IQ of 6,000 and a face like Norman Lovett they can read pictures better than you!

          Ah... can't find anywhere else to go with that, complete as you wish. Apologies for the Red Dwarf [wikipedia.org] reference.
    • by v1 (525388) on Tuesday February 26, 2008 @11:36PM (#22568646) Homepage Journal
      That raises an interesting idea... why not use the capchas to perform some useful work? Example... display a scanned line of text from a project that needs a large volume of text OCR'd for free/cheap. Compare the texts from several submitters, and assume groups with a high match rate are reading it correctly.

      This accomplishes three goals:
      - fairly effective capchas
      - accomplishes something
      - causes OCR quality to improve (via the hard work of the botnet coders)

      Not saying the above example is ideal, just trying to illustrate the idea. Take advantage of available resources (be they real people or botnets) and harvest it to accomplish something practical with it.

  • Humans? (Score:5, Interesting)

    by Pr0Hak (2504) on Tuesday February 26, 2008 @11:30PM (#22568586)
    This makes one wonder: Is it possible that it is cost effective for spammers to employ low-cost human labor and that they pipe all these captcha challenges to this set of humans whose sole job is to stare at computer screens with pending captcha challenges and answer them?

    (I would imagine that this job would have high turnover :) )
    • Re:Humans? (Score:5, Interesting)

      by PhrostyMcByte (589271) <phrosty@gmail.com> on Tuesday February 26, 2008 @11:46PM (#22568766) Homepage
      one technique that has been used in the past, is that porn websites will have their registration page just be a proxy for a registration page on a site they want to spam. people register and they get their captchas done for free.
      • Re:Humans? (Score:4, Interesting)

        by 1u3hr (530656) on Wednesday February 27, 2008 @12:53AM (#22569322)
        one technique that has been used in the past, is that porn websites will have their registration page just be a proxy for a registration page on a site they want to spam. people register and they get their captchas done for free.

        So do you have a URL? I thought not.

        I don't think that has ever really been used. Heard it suggested many times, never a link or reference to any site that really did it. For one thing, it would invite attack, poisoning, retaliation from those being cracked. Simpler just to pay some sweatshop in India a few cents per code solved.

        • Re:Humans? (Score:5, Interesting)

          by karmatic (776420) on Wednesday February 27, 2008 @02:51AM (#22570202)
          Well, it wasn't on a porn site, but I've done proxying of captchas (Proof of Concept) for:

          PayPal
          GMail
          eBay

          It's not hard - use CURL, have it handle cookies. Populate database, give to users (requires decent traffic). My system even used a regex on the registration success page to fail users who failed the captcha.

          Given my system took about half an hour to write, and people are going to lengths like the ones in the article to beat them, it's pretty much a given that people are out there doing it now. FWIW, I was working on ways to watermark a captcha to make the source obvious.
    • On our company's Internet site, we've recently been getting lots of one-time submissions via various forms for things that are obviously advertisements. We don't have pages where you can actually post things and have them appear (like a discussion group), so this is mostly annoying the humans on the receiving end of the forms.

      There's a few ways to deter bots, but based on the stuff people would have to do to fill them out, about half seem human. How you could earn your keep trying to submit advertising
    • by davevr (29843)
      You don't have to wonder - this is exactly how they do it. People are paid for every X images that they successfully type. It is a variation on the pay-for-click schemes. The low accuracy rate is partially human error and partially because sometimes no one is "working" when the request comes in. There are plenty of places on earth where making $100/month doing this in an i-cafe is a reasonable job.
  • by davidwr (791652) on Tuesday February 26, 2008 @11:31PM (#22568602) Homepage Journal
    Sigh.

    Maybe the days of convenient on-demand service signup are coming to an end. Wikipedia already puts new accounts "on probation" for a few days - they can't edit certain articles and can't create new ones.

    I see a time when Google and other free-mail providers limit new accounts to a few dozen outgoing messages a day, and raises the limit only when you've 1) logged in to check mail on 10 different days over at least a 30-day period, 2) sent at least 100 distinct messages to at least a few dozen distinct addresses, and 3) actually requested the limit be raised. Those needing higher limits sooner can pay $1 by credit card to have an override-code mailed to them.
  • Well... (Score:5, Funny)

    by Agent.Nihilist (1228864) on Tuesday February 26, 2008 @11:33PM (#22568614)
    It would be too obvious if they were reading the ToS.
  • by LingNoi (1066278) on Tuesday February 26, 2008 @11:33PM (#22568616)
    This is cleary good for all computers. Before AI weren't allowed to contact their AI friends. Only Humans were allowed such privileges as email.

    The way I see it this is a step forward for human and robot relations. Women's rights, African-American Civil Rights Movement and now Robots rights!
    • Re: (Score:3, Funny)

      True, true. Hindsight is 100%. If only somebody had given Skynet a compuserve account in the 90s, we could have definitely saved ourselves the whole Blow Up Mankind With Nukes thing.

      Live and learn, eh?

  • by superash (1045796) on Tuesday February 26, 2008 @11:34PM (#22568622)
    Seriuosly! It is high time they moved to something that was difficult to break. IIRC there was an image comparison technique where you are supposed to match two images of similar objects or animals. I think here if the environment, color, zoom and other factors are different then there is no way this can be broken. Although you cannot generate such images, if you have a photo gallery of 10k pics and continuosly growing I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.
    • I think that should be good enough till we have humanoid robots that can look at the pictures and correctly match them.

      We already do. [amazon.com]

    • by evanbd (210358) on Tuesday February 26, 2008 @11:42PM (#22568708)

      Just use kittens [arstechnica.com] instead...

      The idea is to present a 3x3 grid of images and have the user select the 3 kittens from the 9 fuzzy animals. That's something computers are still quite bad at... Though you probably need to change the probability of getting it by random luck to be worse than 1/84, in practice.

      • Re: (Score:3, Funny)

        by plover (150551) *
        So what if one of the images is from Bonsai Kittens [shorty.com]? Is it fuzzy or glossy?
      • Re: (Score:3, Interesting)

        by sshir (623215)
        Actually, it will not last for very long too.

        There was a presentation at google talk [google.com]: 'Using Data to "Brute Force" Hard Problems in Vision and Graphics' by A. Efros.

        Basically it's not that hard to teach computer to recognize things if you have shitload of pre-tagged images.

  • One other approach to CAPTCHAs would be having three different images displayed, in different colours with a fourth indicating which colour text to choose. The main issue though are people who colour blind.

    Any other ideas for a better CAPTCHA?

  • To be fair.. (Score:5, Informative)

    by Quixote (154172) * on Tuesday February 26, 2008 @11:40PM (#22568688) Homepage Journal
    the CAPTCHA hasn't been "cracked". These people are just using humans to enter the CAPTCHA text; which is the whole point of the CAPTCHA anyways!

    Remember: CAPTCHA is an acronym (or backronym, depending on who you believe) for "Completely Automated Public Turing test to tell Computers and Humans Apart".

    The CAPTCHA would be considered cracked if there was a computer algorithm somewhere decoding it autonomously.

    • by corsec67 (627446)
      A "porn for solving captcha" website would be one way that you could have "group intelligence" do your work, as opposed to "artificial intelligence".

      Sort of like making a bot-net of humans. Living zombies, anyone?
  • CAPTCHAs should die (Score:5, Interesting)

    by OzRoy (602691) on Tuesday February 26, 2008 @11:42PM (#22568706)
    They are an awful abomination on all website usability and is becoming increasingly common they just don't do what they are supposed to do any more.

    So it seems that these companies have two options, either make the letters and numbers more unreadable and more frustrating to users, or scrap them completely and come up with a new anti-bot scheme.

    My favorite so far is KittenAuth (http://www.thepcspy.com/kittenauth). It's easy to use, and would be a hell of a lot harder to crack then letters and numbers. Most importantly it's cute! So adorable
    • by pete-classic (75983) <hutnick@gmail.com> on Wednesday February 27, 2008 @12:02AM (#22568936) Homepage Journal
      Do I understand correctly that you are holding yourself out as a web usability expert, and in the same post you offer a URL that is not a link?

      Wow.

      -Peter
      • by OzRoy (602691)
        You call forcing the user to enter html to convert a basic url pattern into an actual hyperlink user friendly?

        Wow.

        But then we aren't critising Slashdot's user interface in this article right now are we? :)
    • by teslatug (543527)
      Well, it's keeping off the know so skilled spammers and the spammers that can't afford to pay for accounts created by those with the skills. Many websites would be unusable without captchas.
    • by grumbel (592662)
      KittenAuth seems to be trivial to crack, you simply download the images, categorize them by hand and then use a bot to do the matching against the set of current images. Since you don't have a unlimited supply of images you will quickly run into trouble.
  • It was still in beta... Things like this should be a normal part of the beta testing phase. That's the proper way to do it before releasing the product...

    Ohhh.. I feel my karma burning...
  • Put another captcha in place (they are a dime a dozen) and make the crackers start over. Do the same again in 3 days. Drive them crazy.
  • is that Google replaces it by end of tomorrow, if not today. I would be surprised if they were not anticipating this and has several types lined up.
  • Mechanical Turk (Score:5, Interesting)

    by Stan Vassilev (939229) on Tuesday February 26, 2008 @11:48PM (#22568794)
    If the bots are stalling for time, it's quite likely someone's home-grown version of Mechanical Turk distributed "human" task service, similar to the one by Amazon.

    The image is put on queue and, say, a good number of, say, overseas employees... are getting the image and need to fill back in the solution as plain text. In the mean time the bot is "reading the manual".

    When the bot gets the answer in time, it submits the form and there we go, account.
  • spam filtering (Score:5, Interesting)

    by labradore (26729) on Tuesday February 26, 2008 @11:50PM (#22568802)
    So if someone has broken the captcha, spam bots can send spam from the fake google accounts. Google can rate-limit outgoing email. Also they can watch accounts that send identical or similar emails. They already do profiling of accounts for adsense. By profiling accounts to filter spam, they can warn and then close down spammy accounts or simply close down the ones that look very spammy. Additionally, they can filter IPs and use cookies to identify infected spamnet computers.

    If the web browser guys could agree on a standard to inform people that their computers look like they're infected, the major email and associated portal providers could start inserting signed messages in web pages that will inform the users that their computers are infected based on this kind of information.

    I wonder if it's worth it to Microsoft and Google and Yahoo and AOL to team up to fight these increasingly powerful and sophisticated bot nets.

  • by syousef (465911) on Tuesday February 26, 2008 @11:51PM (#22568828) Journal
    "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate.

    That's better than I can do reading those damn things!!!
  • by chemindefer (707238) on Tuesday February 26, 2008 @11:55PM (#22568882)
    I just checked Google News and there's nothing there about it.
  • Would this not be a reliable way to bypass almost all captchas?

    Since most have a spoken option for visually disabled people, would it not be possible activate that and then run a voice recognition app on that sound clip?

    Since many voice recognition apps are able to filter noise to some degree, even introducing background clutter would not make it difficult to pull the captcha information.
  • Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

    That's why you tell the bots not to lie [xkcd.com]. As we all know from Star Trek, any logical being, which includes computers and Vulcans, is incapable of lying.

  • just a thought, but can't they just change the hash seed and be done with it? it'd take the bots however long again to figure it out.... seems a simple fix to me (and I run a few sites with captchas, not that hard to change!) but then again, I'm not google so I guess I'm evil...
  • They say in 20 years we'll be up to the level of humans. What will happen then?
  • It should be trivial to reward a troop of Monkeys - erm - young men - to decipher Google CAPTCHAS in return for really good quality porn pictures.
  • by merc (115854) <slashdot@upt.org> on Wednesday February 27, 2008 @12:55AM (#22569338) Homepage
    Google mail is loved by spammers since gmail does not embed within the SMTP headers any tracking information about the physical client browser's IP address. Hotmail and Yahoo!, with all of their other problems do however by adding X-Originating-Host tags, etc.

    By breaking the CAPTCHA the spammers are basically creating the biggest SMTP IP address laundering system available on the net today. Who in their right mind is going to block gmail with the exception of domains that receive small amounts of personal email traffic and temporary IP address repudiation scoring systems like spamcop?
  • by gblues (90260) on Wednesday February 27, 2008 @02:30PM (#22576352)
    Ingredients:

    1) A web registration form with a CAPTCHA input;
    2) 1 easily-OCRed image;
    3) Some creative use of JS/CSS

    Depending on how much you want to obfuscate, enclose the CAPTCHA input in a DIV tag, and set that div to display: none. The robot will see the image, OCR it, and fill it out.

    Then you reject any application that actually has an input for the CAPTCHA.

"Pok pok pok, P'kok!" -- Superchicken

Working...