Researchers devised a reCaptcha breaking system effective against Google and Facebook

A group of boffins discovered vulnerabilities in the reCaptcha systems of Google and Facebook and devised an attack method.

The security experts Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis have devised an attack technique against Facebook and Google reCaptcha. The boffins from the Department of Computer Science at Columbia University have discovered security vulnerabilities in the reCaptcha systems of the IT Giants and have devised an attack technique that allows them to automatically influence risk analysis and bypass the protection system.

The technique could be used to launch large-scale attacks.

In a first phase, the researchers tested the accuracy of their  reCaptcha breaking system, in a second phase they compared their attack technique with other captcha-breakers to conduct an economic analysis of their method.

The experts also proposed a series of mitigation techniques against attacks like the one they have elaborated.

The research focused on the Google’s reCaptcha system that implements an “advanced risk analysis,” it analyze requests to determine the difficulty of returned captcha. The researchers tested their attack method in offline mode, the captcha-breaking system obtained a 41.57 percent success rate at 20.9 seconds per challenge.

“As such, we evaluate our system in an offline mode, where no online information or service is used. Under such restrictions, and running on commodity hardware, our attack solves 41.57% of the captchas while requiring only 20.9 seconds per challenge, with practically no cost.” reads the paper published by the experts.

The researchers tried to automatically break 2,235 Google captchas obtaining a percentage of success of 70.78 in resolving reCaptcha challenges, at a rate of 19 seconds per challenge.

In live tests the success rate was higher because image repetition of the reCaptcha.

“We ran our captcha-breaking system against 2,235 captchas, and obtained a 70.78% accuracy. The higher accuracy compared to the simulated experiments is, at least partially, attributed to the image repetition; the history module located 1,515 sample images and 385 candidate images in our labelled dataset” continues the experts.

The team of experts also evaluated the efficiency of their method against the Facebook’s image captcha, and the results were very good. The team reached an accuracy of 83.5 percent on 200 images.

The method appears more effective against the Facebook reCaptcha system because Google is using low-quality photos that in many cases are no easily distinguishable also for a human.

The technique devised by the experts is more efficient when the targeted reCaptcha system uses high-resolution images that are easier to analyze.

The reCaptcha breaking system devised by the group is superior to Decaptcher, a popular system that charges $2 per 1000 solved image captchas that has only a 44.3 percent accuracy.

When dealing checkbox captcha, at a selling price of $2 per 1,000 solved captchas, the token harvesting attack devised by the team could obtain $104 – $110 daily, per IP address.

“Assuming a selling price of $2 per 1,000 solved captchas, our token harvesting attack could accrue $104 – $110 daily, per host (i.e., IP address). By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine.” states the paper.

When dealing with checkbox captchas, the system could run a rate of 1,200 requests per hour without being blocked. The attack could peak at 2,500, reaching between 52,000 and 55,000 requests per day, and 59,000 in the weekend.

The team shared the results of their study with Google and Facebook. While Google used the information to improve its reCaptcha system, Facebook hasn’t yet implemented enhancements.

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – reCaptcha system, hacking)