Security researchers defeat reCAPTCHA

Automated attack breaks access system used by Google and Facebook

Google's reCAPTCHA hacked?
Google's reCAPTCHA hacked?

A trio of security researchers has demonstrated how Google's reCAPTCHA technology can be broken. The technology is used by Google, Facebook and others to protect websites against spam and abuse.

According to a research paper, published by Suphannee Sivakorn, Jason Polakis, and Angelos D Keromytis of Columbia University, the researchers managed to identify flaws in the technology that would enable hackers to influence the risk analysis, bypass restrictions, and deploy large-scale attacks.

“Subsequently, we designed a novel low-cost attack that leverages deep learning technologies for the semantic annotation of images,” said the researchers.

The system uses techniques to bypass CAPTCHA security measures such as tokens and cookies as well as machine learning to correctly guess images presented to it.

The researchers said the system they had devised was “extremely effective”, automatically solving 70.78 percent of the image reCaptcha challenges, while requiring only 19 seconds per challenge. The trio also applied this attack to the Facebook image captcha and achieved an accuracy of 83.5 percent.

The researchers said that the enhanced accuracy of the attack system on Facebook's security was down to the higher-resolution images it used. Google's lower resolution images make it difficult for the automated system to classify images.

The researchers said that while accuracy may increase over time as the human solvers become more accustomed to the image reCaptcha, “it is evident that our system is a cost-effective alternative”.

“Nonetheless, our completely offline captcha-breaking system is comparable to a professional solving service in both accuracy and attack duration, with the added benefit of not incurring any cost on the attacker,” said the researchers in the research paper.

Researchers said that assuming a selling price of US$ 2 per 1,000 solved captchas, hackers could make US$ 104 - US$ 110 daily, per host (ie, IP address). “By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine,” the researchers warned.

Before going pubic with their findings, the researchers notified Google and Facebook. According to the researchers, Google took steps to harden reCAPTCHA, but Facebook hadn't responded with any changes.

Alex Cruz Farmer, vice president of cloud at NSfocus, told SCMagazineUK.com that hackers being able to bypass reCAPTCHA now creates a very critical issue as a line of defence against automated SQL injection attacks.

“With a reCAPTCHA in place, attackers would have to complete the verification step before they were able to check the result of their SQL injection results. With that in mind, this now means that the only way to block SQL injection is to ensure robust field validation and, most importantly, having Web Application Firewalls in place to protect against XSS (Cross-site Scripting) and DLP (Data Loss Protection),” he said.

Carl Herberger, vice president of security solutions at Radware, told SC that the industry needs to get better at quickly establishing the legitimacy of not just people vs machines, but also good people vs bad people (which CAPTCHA doesn't do) and Good Bots vs Bad Bots (which CAPTCHA also doesn't do).

“Some of the most promising technologies include the ability to develop reputations based on a device's history via something called “Fingerprinting”. This is a technical term today to be able to essentially scan a device, understand it, uniquely characterise it (eg 'Fingerprints') and then track its behaviour and take actions on past good and bad behaviours,” he said.

James Romer, EMEA chief security architect, SecureAuth, told SCMagazineUK.com that organisations should be aware of the ability to layer authentication strategies together as part of a complete authentication solution.

“The ability to analyse contextual information and behavioural biometric information, wrap around an identity to protect and drive the user journey, allows an organisation to maintain a consistent perimeter as the identity interacts within an organisation,” he said.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS