Breaking News

Researchers devised a reCaptcha breaking system effective against Google and Facebook

A group of boffins discovered vulnerabilities in the reCaptcha systems of Google and Facebook and devised an attack method.

The security experts Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis have devised an attack technique against Facebook and Google reCaptcha. The boffins from the Department of Computer Science at Columbia University have discovered security vulnerabilities in the reCaptcha systems of the IT Giants and have devised an attack technique that allows them to automatically influence risk analysis and bypass the protection system.

The technique could be used to launch large-scale attacks.

In a first phase, the researchers tested the accuracy of their  reCaptcha breaking system, in a second phase they compared their attack technique with other captcha-breakers to conduct an economic analysis of their method.

The experts also proposed a series of mitigation techniques against attacks like the one they have elaborated.

The research focused on the Google’s reCaptcha system that implements anadvanced risk analysis,” it analyze requests to determine the difficulty of returned captcha. The researchers tested their attack method in offline mode, the captcha-breaking system obtained a 41.57 percent success rate at 20.9 seconds per challenge.

“As such, we evaluate our system in an offline mode, where no online information or service is used. Under such restrictions, and running on commodity hardware, our attack solves 41.57% of the captchas while requiring only 20.9 seconds per challenge, with practically no cost.” reads the paper published by the experts.

The researchers tried to automatically break 2,235 Google captchas obtaining a percentage of success of 70.78 in resolving reCaptcha challenges, at a rate of 19 seconds per challenge.

In live tests the success rate was higher because image repetition of the reCaptcha.

“We ran our captcha-breaking system against 2,235 captchas, and obtained a 70.78% accuracy. The higher accuracy compared to the simulated experiments is, at least partially, attributed to the image repetition; the history module located 1,515 sample images and 385 candidate images in our labelled dataset” continues the experts.

The team of experts also evaluated the efficiency of their method against the Facebook’s image captcha, and the results were very good. The team reached an accuracy of 83.5 percent on 200 images.

The method appears more effective against the Facebook reCaptcha system because Google is using low-quality photos that in many cases are no easily distinguishable also for a human.

The technique devised by the experts is more efficient when the targeted reCaptcha system uses high-resolution images that are easier to analyze.

The reCaptcha breaking system devised by the group is superior to Decaptcher, a popular system that charges $2 per 1000 solved image captchas that has only a 44.3 percent accuracy.

When dealing checkbox captcha, at a selling price of $2 per 1,000 solved captchas, the token harvesting attack devised by the team could obtain $104 – $110 daily, per IP address.

Assuming a selling price of $2 per 1,000 solved captchas, our token harvesting attack could accrue $104 – $110 daily, per host (i.e., IP address). By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine.” states the paper.

When dealing with checkbox captchas, the system could run a rate of 1,200 requests per hour without being blocked. The attack could peak at 2,500, reaching between 52,000 and 55,000 requests per day, and 59,000 in the weekend.

The team shared the results of their study with Google and Facebook. While Google used the information to improve its reCaptcha system, Facebook hasn’t yet implemented enhancements.

[adrotate banner=”9″]

Pierluigi Paganini 

(Security Affairs – reCaptcha system, hacking)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.