Three security researchers have devised a new automated attack that can break the CAPTCHA systems used by Google and Facebook.
Researchers have used a large number of factors to attack and circumvent CAPTCHA security measures (cookies, tokens). They used machine learning to "guess" the correct CAPTCHA image with a very high degree of accuracy.
The results of this new attack were much better than expected. In Google's reCAPTCHA system, researchers scored a success rate of 70,78% over 2.235 CAPTCHAs. The average resolution time for CAPTCHA was 19,2 seconds.
On Facebook, the researchers had a better success rate where they caught a 83,5% over 200 CAPTCHAs.
The best percentage of accuracy in resolving Facebook Captcha stems from the fact that the social network uses higher resolution images and displays objects from different categories. Google, on the other hand, uses low-quality photos that are always related to each other, which makes the auto-grading of images much more difficult.
Researchers have provided Google and Facebook with the findings of their study and say that Google has taken some steps to re-security the reCAPTCHA while Facebook has not yet answered them.
Registration in iGuRu.gr via Email
The researchers are: Suphannee Sivakorn, Jason Polakis, and Angelos D. Keromytis and their research is called I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs, and is available on the section's page Of Computer Science of the University of Columbia. Another copy is also available through Black Hat Asia 2016 where the attack was presented.