Forgot your password?
typodupeerror
Security Spam IT

ReCAPTCHA.net Now Vulnerable to Algorithmic Attack 251

Posted by timothy
from the bless-you! dept.
n3ond4x writes "reCAPTCHA.net algorithms have been developed to solve the current CAPTCHA at an efficacy of 30%. The algorithms were disclosed at DEFCON 18 over the weekend and have since been made available online. Also available is a video demonstration of random reCAPTCHA.net CAPTCHAs being subjected to the algorithms." There's probably an excellent Firefox plugin to render this page's color scheme more bearable. Note: the PowerPoint presentation linked opens fine in OpenOffice, and the video speaks for itself.
This discussion has been archived. No new comments can be posted.

ReCAPTCHA.net Now Vulnerable to Algorithmic Attack

Comments Filter:
  • colours (Score:2, Funny)

    by orange47 (1519059)
    "There's probably an excellent Firefox plugin to render this page's color scheme more bearable."
    just select all page, its better.
  • Human Success? (Score:5, Insightful)

    by Anonymous Coward on Thursday August 05, 2010 @05:03PM (#33154776)

    So what is the average human success rate? I think mine is only about 50%

    • Re: (Score:2, Informative)

      by Anonymous Coward
      Mine is 100%. Recaptcha is probably one of the easiest captcha I've ever had to deal with; something is wrong with you, sorry.
    • by artg (24127)
      So, is there a firefox plugin that fills in captchas for me ?
  • My eyes! (Score:3, Funny)

    by Yvan256 (722131) on Thursday August 05, 2010 @05:04PM (#33154782) Homepage Journal

    The goggles, they do nothing!

    • Dude, if you're getting old enough to need reading glasses, just get them....

      There are some really bad CAPTCHAs out there - recapcha is one of the more human-readable ones, but sometimes just magnification isn't enough.

  • OCR improvements? (Score:3, Interesting)

    by Anonymous Coward on Thursday August 05, 2010 @05:05PM (#33154788)

    Can these attack algorithms actually increase the accuracy of normal OCR programs?

    • I haven't RTFA, but that's unlikely. With a captcha, you receive a response indicating whether you were correct or not. When using OCR, there isn't really any automated way to be sure if you've gotten it right.
    • by nizo (81281) *

      Better living through spam!

    • recaptcha was created to increase the accuracy of normal OCR programs...

      so technically the bots solving them would also be helping proof Project Gutenberg texts so long as they are getting both the test word and the book word correct.

      • Re: (Score:3, Informative)

        by AusIV (950840)
        They're not. I saw the presentation these guys gave at DefCon (their presentation was about as painful as their website), and they're only getting the test word correct with about 30% accuracy. They're not completely sure about their success rates on book words, but they believe it to be considerably lower than the test words.
      • Unless of course, all the bots use the exact same algorithm, and they all make the same mistake on the book words. Recaptcha uses consensus, right?
        • IIRC, as part of the marblecake time magazine vote thing, people submitted thousands of PENISes as the book word to try to get it inserted randomly into ebooks. The recaptcha people said they've anticipated such an attack and that it's not possible to influence final book word results.

  • But that just means more spambots, right?

  • by imsabbel (611519) on Thursday August 05, 2010 @05:08PM (#33154816)

    I recently went to their homepage and looked _really_ hard for any statistics about which books are transcriped. I read their Science paper. Tried all sections.
    Its all about the captcha part, and _nothing_ about the RE.
    The way they state how it works ("We are using 100.000 unique words") sounds like they have given up on that part long ago and just recycle their old database again and again...

  • If not, then the captcha should only be visible when the mouse cursor is over it.

    The key to a successful captcha is to make it accessible only by a user sitting in front of the screen.

    • by Lehk228 (705449)
      even if it couldn't be done normally, a hostile client could say the cursor is over the script just as easilly as it could place the cursor there.
    • by AusIV (950840)
      As a couple of ACs have pointed out, the people breaking CAPTCHAs aren't using browsers, they're using scripts. They don't care if a DOM element is hidden, or if they have to make an extra ajax request of some sort. The scripts will be tailored to the CAPTCHA they're trying to break, and you can't keep a script from getting a hold of something that you plan to show a human.
    • Re: (Score:3, Insightful)

      by IBBoard (1128019)

      Remember, iPads and touch-screens can't do hover. Plus there's the whole disability accessibility aspect as well ;)

  • by El_Muerte_TDS (592157) <elmuerte@@@drunksnipers...com> on Thursday August 05, 2010 @05:11PM (#33154844) Homepage

    It looks like that tool is better at deciphering the captchas than I am.

  • far from it (Score:4, Informative)

    by MagicM (85041) on Thursday August 05, 2010 @05:12PM (#33154858)

    I'm watching the video, and the end result is "b:1/78 1.28% s:27/78 34.62%" indicating that out of 78 tests of two words per test it got a single word right 35% of the time, and both words right only once or 1% of the time.

    Since both words need to be correct "solve the current CAPTCHA at an efficacy of 1%" would be closer to the truth.

    • Re: (Score:3, Informative)

      by NegativeK (547688)
      35% * 35% ~ 12%. And that ignores that one word is a known control, while the other is a word they're trying to OCR.
      • Re: (Score:3, Informative)

        by rm999 (775449)

        You are right, there is no need to get both words right.

        But, your 35% * 35% calculation assumes the recognition difficulty of the words is independent, which is a bad assumption in this case; the OCR word is one that is known to be hard to guess. It is probably more like 35% * 5% or something.

        • Re: (Score:3, Insightful)

          by retchdog (1319261)

          Interesting. If this is true as stated, and one knew/modeled OCR performance, you could use this information in some cases to pick out the plum and boost the crack...

          • by retchdog (1319261)

            meh. never mind. it'd only take twice as long at most, to just do your best on both. duh.

            i guess if there were a limited number of attempts you might use this to decide which ones to attempt vs. reload.

        • I seem to remember recapatcha claiming that if they think they are being screwed with they switch to sending two known words rather than one known and one unknown

    • Re: (Score:3, Informative)

      by BarryJacobsen (526926)

      I'm watching the video, and the end result is "b:1/78 1.28% s:27/78 34.62%" indicating that out of 78 tests of two words per test it got a single word right 35% of the time, and both words right only once or 1% of the time.

      Since both words need to be correct "solve the current CAPTCHA at an efficacy of 1%" would be closer to the truth.

      My understanding is that only one of the words needs to be correct, but it has to be the "right" one (reCAPTCHA presents two words one it's very certain it knows what it is and one it's less certain, you have to get the one that it's very certain of in order to pass).

    • Only ONE word needs to be correct for recaptcha.

      There is a known word you are tested against, and an unknown word pulled from a database of shit they scanned.

      Solving the known word correctly means you probably also got the unknown word correct. They then pool the "correct" submissions for the unknown words and see what the most common ones are.

      I don't know if this is completely automated or if they have an intern monkey clicking "yes" or "no" for unknown words and probable solutions, but the whole "crowd s

    • by IICV (652597)

      Not necessarily; I'm not sure exactly how reCAPTCHA works, but in theory they don't know one of the words - in fact, that other word may very well be unknowable, due to smearing or just not being a word (that happened to me the other day actually, I got one word and one thing that looked like a Farsi character). Thus, if you successfully guess the correct thing for the "known" word, it doesn't really matter what you guess for the "unknown" word as long as it's close or at least something a human might type.

    • Re:far from it (Score:5, Informative)

      by hydrofix (1253498) on Thursday August 05, 2010 @05:53PM (#33155330)

      Since both words need to be correct "solve the current CAPTCHA at an efficacy of 1%" would be closer to the truth.

      Actually, that is incorrect. The other word is already positively known by the OCR, and serves as a control, while the other is the one that the OCR could not read. It will of course only check the one that it knowns, and assumes the other one is then correct as well. So, if you get one of the words correct AND this is the same word that as their OCR identified correctly (which is very likely the case), then you pass, but most of the time (99%) give a bad answer for the harder, non-OCR word. Sadly, this leads to pollution of their database in the long run.

    • Re:far from it (Score:4, Informative)

      by Jorl17 (1716772) on Thursday August 05, 2010 @09:20PM (#33157152)
      This is not informative. As many have said. If You read: http://www.google.com/recaptcha/learnmore [google.com] , you'll get it.

      Here is the deal: reCAPTCHA presents two words. One is picked by it and is previously known. The other one is a word from a book that has been scanned. Said word is unknown to the reCAPTCHA system. When the user enters both words, reCAPTCHA checks to see if the known word has been properly recognized. If that is the case, then reCAPTCHA can assume that a human is answering. Given that a human is answering, then the second unknown word given by the human is most likely correct, because he/she will be able to recognize it as well. Using this system, reCAPTCHA works as a CAPTCHA (spam prevention) mechanism and also helps transforming old books/papers into digital format, such as the New York Times.

      So, in practice, only one word has to be correct -- the word that reCAPTCHA knows. What's sad is that bots may contribute incorrect second words...

      Next time, get informed before going all crazy.

      And here is the relevant info, quoted from the aforementioned website:

      reCAPTCHA improves the process of digitizing books by sending words that cannot be read by computers to the Web in the form of CAPTCHAs for humans to decipher. More specifically, each word that cannot be read correctly by OCR is placed on an image and used as a CAPTCHA. This is possible because most OCR programs alert you when a word cannot be read correctly. But if a computer can't read such a CAPTCHA, how does the system know the correct answer to the puzzle? Here's how: Each new word that cannot be read correctly by OCR is given to a user in conjunction with another word for which the answer is already known. The user is then asked to read both words. If they solve the one for which the answer is known, the system assumes their answer is correct for the new one. The system then gives the new image to a number of other people to determine, with higher confidence, whether the original answer was correct.
  • Plugin not needed... (Score:4, Informative)

    by knarf (34928) on Thursday August 05, 2010 @05:13PM (#33154874) Homepage

    There's probably an excellent Firefox plugin to render this page's color scheme more bearable

    No plugin needed:

    View->Use Style->None

    That is what it looks like in Seamonkey, Firefox will be similar. This more or less always works.

  • Hmm (Score:5, Funny)

    by Tailhook (98486) on Thursday August 05, 2010 @05:15PM (#33154906)

    Should I run the DEFCON presenter's giant SWF or not?

    o_O

  • Bad Hacking (Score:5, Insightful)

    by pz (113803) on Thursday August 05, 2010 @05:16PM (#33154910) Journal

    Why would anyone want to do this? It's like attacking the UN peace keeping troops or the Red Cross. reCAPTCHA is doing good work, digitizing scanned printed books so that the the text can be made available for online searching. Breaking reCAPTCHA is like defecating in the village well, ensuring that everyone suffers. No one benefits from reCAPTCHA being broken. No one.

    • Re: (Score:3, Informative)

      by kyrio (1091003)
      4chan already broke it.
      • 4chan didn't quite break it, more like they broke time's form implementation. They did a lot of 'hacks' but most was on how Time handled the poll - they didn't use any CAPTCHA at the beginning, then took the form offline, but not the voting script, so 4chan voted well past the cut off time, will millions of monkeys voting.

        see reCaptcha blog [recaptcha.net] and this well written article [musicmachinery.com]

        • by shird (566377)

          No the OP is pretty much right. 4chan has now implemented reCaptcha, yet is still getting hammered with spam. Thus some spammer using 4chan has managed to find a way around it with a pretty good success rate.

    • Re:Bad Hacking (Score:5, Insightful)

      by Dhalka226 (559740) on Thursday August 05, 2010 @05:31PM (#33155094)

      No one benefits from reCAPTCHA being broken. No one.

      Spammers.

    • Re:Bad Hacking (Score:5, Insightful)

      by maxume (22995) on Thursday August 05, 2010 @05:32PM (#33155106)

      Actually, it could be of use to reCAPTCHA, they can just pass their test words through this system before they make them public and then use the output to help prevent similar attacks.

    • Advertisers benefit. Or rather, people who sell advertising and SEO services and work automated lead/sales referral systems. Their clients are probably hurt by all the forum spam done in their name. Look around you. Wherever there is money being made, there are assholes joining in.

    • Re:Bad Hacking (Score:4, Insightful)

      by Flyne (1082975) on Thursday August 05, 2010 @05:42PM (#33155220)
      The problem of breaking reCAPTHCA is precisely the same problem as increasing computer OCR abilities, since reCAPTCHA by design uses words which current OCR abilities are inadequate for. This is a good thing for AI and computer vision and text digitization.
    • Re:Bad Hacking (Score:5, Insightful)

      by sbayless (1310131) on Thursday August 05, 2010 @05:58PM (#33155364)

      No one benefits from reCAPTCHA being broken. No one

      You couldn't be more wrong. Sure, breaking reCAPTCHA would create a headache for website admins (including me, for example), but in order to break reCAPTCHA someone has to devise a better text recognition program. And that's great news! This is an example of a general side effect of the cat and mouse game that are captchas. Captcha's are a simple form of Turing Test, where website admins are trying to determine who is a computer and who is a real human being. Every time a captcha gets broken, we get a sophisticated new algorithm for doing something that previously only humans could do (or only humans could do well, at least).

      • Re: (Score:2, Insightful)

        by mysidia (191772)

        Except the algorithm doesn't really do that... to defeat the captcha, it only needs to get it right about 10 or 20% of the time, to give the malicious script a "good enough guess" to brute-force the Captcha with 5 or 6 retries.

        As long as the number retries are less than those the a fair percentage of humans require....

    • It's not about breaking reCaptcha, it's about avoiding the reCaptcha hurdle on all the sites that use it. If a site put up a captcha, there's some resource it's protecting that other people want. This is a way to get it in a bulk way, therefore economically cheaper.

      And you think that a person who can benefit with a fat check will care about some abstraction that they're polluting the village well? For money, people sell drugs that kill people. This is nothing compared to that.

    • If reCAPTCHA's too easily breakable, then Bad Guys will figure out how, and will start exploiting sites that use reCAPTCHA for protection.

      So we need to know how vulnerable it is, and the reCAPTCHA folks need to figure out how to fix it. It's an arms race, always has been, probably always will be.

  • There's probably an excellent Firefox plugin to render this page's color scheme more bearable.

    I like using a Readability bookmarklet in my bookmarks bar: Readability - An Arc90 Lab Experiment [arc90.com]

  • Is this related? (Score:5, Interesting)

    by Khyber (864651) <techkitsune@gmail.com> on Thursday August 05, 2010 @05:48PM (#33155290) Homepage Journal

    Anybody that pays attention to 4chan recently knows they had to implement captcha due to a massive spamflood of infected morons. recaptcha got busted thanks to someone in /g/ who leaked the vulnerability in the sound system for reCAPTCHA, and the whole site was again inundated with spam, though not to the degree as the original spam attack.

  • by mwvdlee (775178) on Thursday August 05, 2010 @06:02PM (#33155406) Homepage
    When it is claimed to be 30% accurate, I'd expect some 30% of all captchas being correcly guessed. Watching the video, I noticed the algorithm gives itself 30-40% scores for getting just one of the two words right or sometimes even for getting the right length and a few correct letters. Didn't watch it to the end, but in the few minutes I watched, ZERO entire captcha's were solved. So that's ZERO% acurate in my book. For instance, actual captcha text "ware readiness", guessed captcha "votarry rehabbed", reported accuracy 38.24%... how the hell is that over 38% accurate? If you had that level of accuracy when trying to get past a captcha (which is pretty much the definition of it being vulnerable, right?), you wouldn't get past a single captcha. it's 30% accurate if it correcly guessed about 3 out of every 10 captcha's, not if it fails every single captcha.
  • since thats about the accuracy of a human
  • by BlueMonk (101716) <BlueMonkMN@gmail.com> on Thursday August 05, 2010 @08:39PM (#33156812) Homepage

    Seeing this article gave me an idea to come up with a new human verification process. I created a C# program in about an hour that loads images from Google images based on searching for 3 of 2000+ nouns. It shows 3 examples of each noun and asks the user to pick the correct noun from a list of 6. This program is just a proof of concept of course. Could this become useful? (Binary and source code included.)
    http://enigmadream.com/misc/HumanVerification.zip [enigmadream.com]

    • The spammers can just choose a random option until they get in. All that will do is slow them down a bit.

    • Re: (Score:3, Interesting)

      If you used something that wasn't a public resource based around text strings, then yes.

      Better still... show a bank of images, ask which one has a happy little girl in it. (all images contain a girl, only one obviously happy). Randomize the backend with a cryptographic routine (so the file names don't give anything away) and you are set for a while. Computers are terrible at such things, people are pretty good at it.
  • Then we can just put reCAPTCHA on all pages being used for spam, and get transcription services for free.

Mathematicians stand on each other's shoulders. -- Gauss

Working...