A script that automatically breaks over Google's "reCAPTCHA" used to avoid spam emerges over 99%

Google's "reCAPTCHA" is often used to avoid spam in comments as a method to distinguish whether a partner is a human being or a machine, but a script that breaks this with high precision of 99% or moreStiltwalker"Has appeared.

Google's reCAPTCHA briefly cracked - The H Security: News and Features


It was held in Los Angeles last weekendLayerOne securityAt the conference, I revealed how the DC 949 Research Team triples broke through reCAPTCHA.

CAPTCHA is "Completely Automated Public Turing test to tell Computers and Humans Apart", that is, it automatically sorts humans and machinesTuring testIn particular, reCAPTCHA provided by Google is one of systems considered to be highly reliable among a number of CAPTCHA systems.

ReCAPTCHA: Stop Spam, Read Books
http://www.google.com/recaptcha


The reCAPTCHA is offering is to make it read two words, the word is distorted and it is difficult to read because it is noisy and it is difficult to read the words correctly only by human beings We are doing.


The script "Stiltwalker" that appeared this time achieved breakthrough at 99% by analyzing the audio version of reCAPTCHA, which Google provides for the visually impaired. CAPTCHA has huge vocabulary data and displays arbitrary words from it, but only 58 words such as color name, numbers, vehicles, day of week, kitchen utensils, miscellaneous goods etc. are registered in the audio version library It was not done.


This 58 words is a story in the new version, once used to consist of only 10 numbers. For this old version, for example, the 2011 Stanford University team had a breakthrough rate of 1.52% and the 2008 Carnegie Mellon University team 58%.


However, DC 949 Research Team succeeded in surpassing 99.1%, actually 17,338 out of 14,7495 times.


In the new version which became 58 words, a change to make automated analysis difficult to perform, such as a radio sound behind behind was done, but it has already been confirmed that this radio sound is also limited data, and the correct answer rate is About 60%.


The change to this new version was said to have been just before the presentation was done and we could not show off the successful breakthrough in the demonstration, but we were boiling the venue.


A movie of the full presentation is released on YouTube.
LayerOne 2012: DC - 949 - Codename Stiltwalker - YouTube


Also, according to the phrase "We will release everything", source code and other materials are published on the site.

Stiltwalker - Defcon Group 949