Three security researchers have devised a new automated attack which can break the CAPTCHA systems used by Google and Facebook.
The researchers used a large number of actors to carry out their attack and bypass CAPTCHA security measures (cookies, tokens). They used machine learning to “guess” the correct CAPTCHA image with a very high degree of accuracy.
The results of this new attack were much better than expected. In the system reCAPTCHA by Google, the researchers recorded a success rate of 70,78% on over 2.235 CAPTCHAs. The average CAPTCHA solving time was 19,2 seconds.
On Facebook, the researchers had a better success rate where they caught a 83,5% over 200 CAPTCHAs.
The best accuracy rate in solving Facebook CAPTCHAs stems from the fact that the social network uses images with higher analysis, και απεικονίζει αντικείμενα από διαφορετικές κατηγορίες. Η Google, από την άλλη πλευρά, χρησιμοποιεί φωτογραφίες χαμηλής ποιότητας, που πάντα σχετίζονται μεταξύ τους, γεγονός που καθιστά την automatic image classification much more difficult.
Researchers have provided Google and Facebook with the findings of their study and say that Google has taken some steps to re-security the reCAPTCHA while Facebook has not yet answered them.
The researchers are: Suphannee Sivakorn, Jason Polakis, and Angelos D. Keromytis and their research is called I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs, and is available on the section's page Of Computer Science of the University of Columbia. Another copy is also available through Black Hat Asia 2016 where the attack was presented.