Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Google Security Technology

Google ReCAPTCHA Cracked 211

Posted by CmdrTaco from the eggs-bacon-sausage-and dept.
stormdesign writes "Despite denials from Google, a security researcher continues to assert that the Search King's reCAPTCHA system for protecting Web sites from spammers can be successfully exploited by Internet junk mail panderers."
This discussion has been archived. No new comments can be posted.

Google ReCAPTCHA Cracked More

Google ReCAPTCHA Cracked

Comments Filter:
  • so hard that not even your users will be able to 'crack' it and login to your store. no, its really good. and doesnt need remote services. (like recaptcha)

    • What's "ZDR" stand for then, "Zero Desirable Results"?

      • Re:Captcha ZDR .... (Score:5, Interesting)

        by devxo ( 1963088 ) on Tuesday January 11, 2011 @10:58AM (#34835564)
        All captchas are practically useless. There is no need to crack them - for example decaptcher [decaptcher.com] solves 1000 captchas for $2. Any captcha type works since they're solved by humans. They also have API's for several different languages which lets the programmer easily to put the process to their programs.

        As long as there's really cheap workforce and economic differences in the world, things like this won't be solved.

        • Re: (Score:2)

          by Lumpy ( 12016 )

          /Recently spammers have new tools in place, I am suddenly getting comment spam on 4 wordpress sites that use this kind of stuff to trap it. I have notice this for over 5 weeks now.

          • Re:Captcha ZDR .... (Score:4, Insightful)

            by daid303 ( 843777 ) on Tuesday January 11, 2011 @11:16AM (#34835728)

            It's quite simple to stop that, implement a small none-standard part in your signup process. I put in an extra input text field named "askldjwla" with the text: [Enter "I am not a bot" here (without quotes)] and my spam has reduced to 0. Spammers target the large and easy, just don't be a part of that group.

            • Re:Captcha ZDR .... (Score:4, Insightful)

              by Anonymous Coward on Tuesday January 11, 2011 @11:22AM (#34835798)

              That might work for your vanity blog, but higher traffic sites are more valuable targets and as such attract greater efforts.

            • Re: (Score:3, Interesting)

              by Magic5Ball ( 188725 )

              We run a not large site that gets 20,000-40,000 spam comment attempts per day. Some simple filters leave us with dozens of items to manually review per year:
              1) English (language in general) employs rules that yield statistical patterns. For example, personal names and occupations do not contain 50 per cent upper case letters and 50 per cent lower case letters in English. This bins the bots that fill unmatched fields with random characters, without bothering human users since CSS is good now (our forms somet

              • Re: (Score:3, Informative)

                by thejynxed ( 831517 )

                Another fun trick is how easy it is to catch spambots by using "invisible" form fields. Bots are too "stupid" to negotiate around these traps. They fill in those fields just like they do the visible ones, allowing you, the site operator, to instantly bin their nonsense to /dev/null with scripts and ban their IP addresses.

        • 1000 captchas solved by humans for $2? WTF? Who do they have working on these things? Even that Indian tech-support drone I talked to yesterday would fetch more money than that ...

          • Comment removed based on user account deletion

          • Re: (Score:3, Interesting)

            by devxo ( 1963088 )
            Indians mostly. Those who solve them actually only get paid $1 per 1000 captchas. But for example, the average daily salary in places like Cambodia is less than $1. Solving 1000 captchas for that starts to sound like a dream job and there is no education needed.

            It's the same reason why powerleveling and gold selling services exist in cheap asian countries, economics make it possible and even a good job.

          • Re:Captcha ZDR .... (Score:5, Interesting)

            by SeaHunter ( 838892 ) on Tuesday January 11, 2011 @11:41AM (#34835984) Homepage
            I remember a message board from a few years ago where some guy had talked about taking a screen shot of a captcha and displaying it on his free porn site making it look like it was really from his site. The person looking at the porn site would type in the captcha answer and his script would in turn use this user provided solution to solve the real captcha on the original site letting his script get past the captchas and spam the message board. So if it really did work he got 1000's of captchas solved by humans for free.

            • Re: (Score:2)

              by vux984 ( 928602 )

              solved by humans for free.

              solved by humans in exchange for porn. Not free. Close enough to free though. :)

            • Re: (Score:2)

              by 1u3hr ( 530656 )
              some guy had talked about taking a screen shot of a captcha and displaying it on his free porn site...

              Yeah, yeah. People have been talklng about that for years. Never actually put it into practice.

              So if it really did work he got 1000's of captchas solved by humans for free.

              Not "free". You'd need a pretty high traffic site to get responses quick enough. But there's so much free porn on the web that no ne will be bothered to do them. It'd probably cost you more to run and host the porn site than jus

          • 1000 captchas solved by humans for $2? WTF? Who do they have working on these things?

            People who have solved millions of CAPTCHAs and are really fast. They probably also do the easy ones in software, thus upping the effective throughput. One approach would be to have the software present its best guess to a human for verification.

        • Comment removed based on user account deletion

          • Re:Captcha ZDR .... (Score:5, Informative)

            by isilrion ( 814117 ) on Tuesday January 11, 2011 @11:54AM (#34836116)

            With reCaptcha, you don't have to successfully OCR the scanned word, just the control word. Usually they are indistinguishable by sight (you don't know which one is the control word), but I've seen reCaptcha instances where one word is clear and the other one is unreadable. In these cases, you can type the control word correctly and just write some gibberish for the other, and you'll beat the captcha.

            Which means that the spammer won't have to OCR the hardest of the words... just the simpler one. Run the OCR to the full text, post both words, and if the simpler one matches, you broke the captcha.

            (I make it sound so easy! It really isn't! I'm amazed that they did break it! I just wanted to point out that it isn't "OCR words that haven't been OCRd before", rather than "OCR words that have been OCRd previously and are now a bit distorted".)

            • Re: (Score:2)

              by Nadaka ( 224565 )

              Also seen one where the other word was a set of hieroglyphs or oddly shaped rectangles.

            • Except that simpler word is something that their OCR software failed to figure out before and has since been solved by a person filling out the captcha. So indeed you do still have to build better OCR software than google has to actually break the captcha. Further they morph the control word just a bit, so not only do you have to build better OCR software, it has to be MUCH better.

        • for example decaptcher [decaptcher.com] solves 1000 captchas for $2.

          That's probably enough to prevent a lot of spam. Spam isn't very profitable per post.

        • All captchas are practically useless. There is no need to crack them - for example decaptcher [decaptcher.com] solves 1000 captchas for $2. Any captcha type works since they're solved by humans.

          I bet this type of captcha [wordpress.com] would still work well on sites like mathoverflow or wolfram...

          • All captchas are practically useless. There is no need to crack them - for example decaptcher [decaptcher.com] solves 1000 captchas for $2. Any captcha type works since they're solved by humans.

            I bet this type of captcha [wordpress.com] would still work well on sites like mathoverflow or wolfram...

            The answer is zero, btw. (which was a little anticlimactic, if you ask me)

  • Theres only one weapon left in the arsenal (Score:5, Insightful)

    by antifoidulus ( 807088 ) on Tuesday January 11, 2011 @10:51AM (#34835458) Homepage Journal
    Come on Google, we all know that in the Capcha war, we only have one weapon left, capcha porn. There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"

    • Re:Theres only one weapon left in the arsenal (Score:5, Funny)

      by Abstrackt ( 609015 ) on Tuesday January 11, 2011 @11:02AM (#34835602)

      There isn't a spambot alive who could answer "In the above movie, how many cocks were inside Jenna Jameson?" or "what sex position is this?"

      Six and the Arabian spinecracker.

      You could just hire people from /. to solve captcha porn.

      • Yes, but how many of us would answer "retrograde wheelbarrow" to every position question? I know I would.
      • Yes, but by the time they got to the third captcha you'd need to replace the keyboard.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      The trouble with this (and less funny image suggestions) is that the "CA" in "CAPTCHA" stands for "Completely Automated".

      CAPTCHAs work as a sort of AI hash function: it's easy for a computer to generate, but hard for one to solve. Using images for tests like "what position is this", or, more realistically, "is this a cat or dog" violates that principle: Creating the CAPTCHA is just as much work as it is to solve! On top of that, the finite availibility of images allows for a database attack. Even having

      • I don't have any background in this, but am completely fascinated by the AI implications of CAPTCHA busting bots/tech.

        I wonder if the "there can't be enough photos" issue could be solved by a script/pulling photos from a large set of images from the web itself? ie, a flickr stream/group that is specifically tagged by users for this, to contribute to the pool for image use by a presumably OSS type CAPTCHA system...

  • In capitals, like this?

    Did they pull the crown from the hands of the Pope, himself at the coronation ceremony, and declare - as did Napoleon - "I am King!"

  • Google reCAPTCHA cracked... again (Score:3, Informative)

    by Anonymous Coward on Tuesday January 11, 2011 @10:53AM (#34835488)

    FTA:

    Researcher Jonathan Wilkins published a paper recently that included an analysis of reCAPTCHA’s security. In automated attacks he conducted against the system, he reported he had an alarming success rate of 17.5 percent.

    Well, last year someone showed ad DEFCON that he could solve the reCAPTCHA CAPTCHAs with an efficacy of 30% already [slashdot.org].

    So how is this news? Am I missing something?

  • News for nerds, stuff that mattered... (Score:5, Informative)

    by derfy ( 172944 ) on Tuesday January 11, 2011 @10:56AM (#34835522) Homepage Journal

    ...last year.

    Google reCAPTCHA cracked
    Written by John P Mello Jr on January 5, 2010

  • End of reCAPTCHA? (Score:3, Informative)

    by deains ( 1726012 ) on Tuesday January 11, 2011 @10:56AM (#34835538)
    As much as it's nice to know reCAPTCHA is working towards a good cause (digitising old books, if you live under a rock or something), the amount of times I've got incomprehensible jibberish from it makes me rather unsympathetic towards their cause. It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet we'll be stuck trying to decipher nonsense from the 1900s for a good while yet.

    • Aren't the gibberish words assembled from different letters from different unsolved words or something? They didn't talk that funny back then.

    • Re: (Score:3)

      by Aladrin ( 926209 )

      That's assuming that it's really giving good answers, and that's why it works.

      My understanding is that it uses previous answers to check future answers. Answer incorrectly enough and it thinks that is a correct answer.

      Now, lately, I've been finding reCAPTCHAs that claim I got them wrong. I assumed I just mistyped, but it used to be a MUCH rarer occurance.

      Maybe I'm getting them right, but the spambots are flooding it with wrong answers?

    • It'd be nice to think there was some better way of keeping spam out, but I guess developer laziness and Google's endless crusade to rule the Internet...

      Laziness has nothing to do with it. It's kindof a hard problem. The solution is worth billions. Trust me, Google really does not like the amount of spam sent from their own accounts that clogs their own services and defraud their own users. Defeating these bots is a high priority for them and everyone else. Each of these companies is basically an army of geniuses. It's a hard problem.

    • Re: (Score:2)

      by spectro ( 80839 )

      And they are making them harder to solve for actual humans, I have found myself failing reCaptcha on ticketmaster several times in the last few months.

  • Perhaps it is time to use animals (Score:2, Interesting)

    by Anonymous Coward

    Granted this is still in research, and it is an "M$" project at the moment, but using animals for a captcha may be the next thing.

    http://research.microsoft.com/en-us/um/redmond/projects/asirra/

  • That would explain why my recaptcha protected forum suddenly started getting 30+ new accounts a day.

    Regards
    elFarto

    • I JUST upgraded my website Captcha system because I suddenly started getting bots registering on my small domain (30-40 visits / day). I now have a small math problem and ReCaptcha together, along with a hidden input field that bots love to fill out (if filled out, rejects form submit). Combine all three, and I doubt I'll see bots registering any time soon.

      The real weird thing is that the bots registered but never spammed my site. Odd.

      • Re: (Score:2)

        by daid303 ( 843777 )

        The real weird thing is that the bots registered but never spammed my site. Odd.

        Most likely the bots failed to detect that the registration worked, or failed to parse the actual post pages. I once had a home grown wiki which was totally messed up by bots because they couldn't make heads or tails from it.

  • reCAPTCHA is already "too good" (Score:3)

    by citizenr ( 871508 ) on Tuesday January 11, 2011 @11:14AM (#34835688) Homepage

    Yesterday I decided to sign up for World of Tanks open beta. It took me 12 tries (including 3 failed sound ones) to fill reCAPTCHA correctly. Most of the time it just displays nonsense.

    • Re: (Score:2)

      by mrsurb ( 1484303 )
      So you just failed the Turing test? You've outed yourself as an AI!

      • Totally offtopic, but this made me wonder about the converse of the Turing test - if/when computers are 'smarter' than we are (whatever that means), how will a computer know that it is talking to a true computer, and not a mere human who is possibly commanding a computer?

        Of course the question presumes some limitations on communication language, bandwidth, response time, etc. to make it a fair test. Let's say it's a transmission between two space ships, ten light minutes apart. Has the other space ship be

    • Worst I've ever seen, I don't even remember who did it, but they had white lettering on a basically white background. It was a case of "see a few letters, hope you guess the last couple right".

    • Re: (Score:2)

      by DarkOx ( 621550 )

      This is an important point though. I too have had enough trouble solving reCAPTCHAs to become frustrated enough just to leave the site, and if I am an AI I don't know it. We have reached a point where I think even if they unbreak reCAPTCHA to the point where machines can't solve them at an effective rate, they will have crossed the threshold where it becomes so hard for humans that a new solution is needed.

  • Too bad really, I like the google captchas because they were easy to read (and served a greater purpose with the book scanning). honestly I wish they would make some of these things harder though. how often do you really need to make an email account? I've done it just a couple times with google and wouldn't be bothered by a more complex captcha system. i suspect they don't do this because they wouldn't want people to get frustrated and go to hotmail instead because the captcha was too hard.

    though in the en

  • This approach is doomed, really. Clearly we can come up with other tasks that are difficult for computers and easy for humans, and wait until AI catches up, and move to something else. At some point much sooner than AI fully replicates human intelligence the tasks will be so difficult that in the vast majority of cases it's not just worth it for a human to go through it (e.g. # of cocks inside Jenna in a video , as suggested above). What do we do then? The captcha approach is a temporary solution, and if I

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      What do we do then?

      Require posting bonds prior to granting write access, with bond amount greater than whatever profit a spammer thinks they might make from spamming. Or better yet, an amount slightly less than spam profit, so they take the offer. Then you run your taking-spammers'-bonds site at a profit, and if it's enough profit, then its worth your time to keep an eye on the site and delete spam as it appears.

    • This approach is doomed, really. ... At some point much sooner than AI fully replicates human intelligence ... What do we do then?

      If the AI is smart enough to pass a human-test to send a spam, then another AI will be smart enough to recognize spam and not deliver it.

  • My forum has noticed! (Score:3)

    by daitengu ( 172781 ) * on Tuesday January 11, 2011 @12:00PM (#34836168) Homepage Journal
    I run a small forum that uses recaptcha . I used to get about 5-10 spam registrations a day. On the 6th I got 148, and the 7th I got 230.

    I eventually instaled a plugin from StopForumSpam.com [stopforumspam.com] which is a combination blacklist/keyword checker to help weed out spammers and it's back to normal, or even below normal levels.

    • I had a forum on a relatively small site that just started getting HAMMERED by spammers.. it was like the reCAPTCHA wasn't even there.

      I switched to the forum's default scambled letter captcha and that stopped the flood for now.

  • successfully exploited by Internet junk mail panderers

    How does one pander to junk mail?

    Perhaps the word you were looking for is peddlers?

  • Seriously, why not something like google goggles for tax forms? Or is that out there already and I'm just not looking hard enough?

  • I use a script for emailing the addresses of my clients and the script is server-side code. And since that does not load unless the form (for an email) is completely filled out, nobody can pre-look at my code and figure out anything.

    Client's email address is in a lookup in an SQL database, so nobody can see that, either.

    Solution is to capture then BLOCK the IP address of anyone sending spam through the form. So far, I have seen two messages from Belize and one from India. And now those people can no longer

Slashdot Top Deals

Get hold of portable property. -- Charles Dickens, "Great Expectations"

Close