ReCAPTCHA Cracked: Has Google’s Anti-Spam Solution Been Hacked?

Abuse of Google’s reCAPTCHA system has been reported, despite claims being denied by Google.  It is alleged that the system has now been exploited by junk mail procurers.  The system is being used by Google to protect Web sites from spammers.

In a research published by Jonathan Wilkins regarding the security system, a 17.5% success rate against the system has been proven, which leaves the system highly vulnerable. CAPTCHA is also known as Completely Automated Public Turing test to tell Computers and Humans Apart.  The concept of the system is to present users an image that is said to be unrecognizable for machines.  In essence, it has been found that the warped image intended for optical recognition apparently cannot cover 100% of blocking unwanted bots getting into their system.  These bots are used to create accounts in an alarming count of 864,000 accounts per day to be used for spamming.

Google, on the other hand, claims that the research done by Wilkins involves an outdated version of reCAPTCHA from 2008, and has been changed and upgraded since then.  True enough, Wilkins has confirmed that the tests done were made to the older version, but that he has also done new tests to the new set of images being used – only to prove that the percent rate only increased.

The older CAPTCHA versions uses horizontal lines designed to prevent machines from recognizing the words in the image.  The lines, however, also made reading difficult to humans. The new version on the other hand, dropped the lines, and uses OCR images, which are easier to read for humans, but has been proven to be easily readable as well for machines.

Google’s two-word images are designed for two purposes integrated in their CAPTCHA system.  First is to protect themselves from spammers.  Second is to aid data collection for their OCR software.  Google uses the unreadable images from the books being digitized, but have problematic words, that users read and input, adding the unrecognizable word into their dictionary.

Another alarming issue with regards to the reCAPTCHA is that a single incorrect letter will still be accepted by the system as valid. The credibility of Google’s reCAPTCHA has led other users into using alternatives such that of Microsoft using images of cats and dogs called Asirra.  This system asks the user to identify categorize 12 images into canine and feline.  Microsoft calls this method Human Interactive Proof (HIP).  This system on the other hand requires large databases to back it up since high capacity computational power is needed in order to simply prevent spammer attacks, where Microsoft uses Petfinder.com to complement their method by utilising over 3 million photos in the pet site.