Google’s reCAPTCHA system is meant to block automated scripts, such as online bots, to generate artificial traffic or make artificial submissions on its services. The reCAPTCHA system is widely used online, including by some very notable websites such as Facebook and Craigslist. However, now three hackers have revealed how this system is very weak.
Google’s reCAPTCHA has been exploited by hacking tools in the past too but none of these tools have been particularly successful. However, the tool that a trio of hackers has now presented, namely Stiltwalker, was able to achieve a remarkable 99% accuracy in defying Google’s security and making it think that it was a human, instead of an automated script.
One of the three hackers who came up with the attack, Adam, wrote, “The primary thing which makes Stiltwalker stand apart is the accuracy. According to the lead researcher from the Carnegie Mellon study, the system we attacked was believed to be ‘secure against automatic attack.”
While Google mostly uses text generation randomly to be entered by the user to confirm that he is human, this test is replaced with an audio version for the visually impaired. In the audio version, it reads aloud six words which are then to be typed by the user. To avoid a computer from automatically ‘hearing’ these words, noise and static-laden radio broadcasts are added.
This noise is meant to distract the computers while still keeping the words audible for the humans. Stiltwalker is able to fool this security mechanism and automatically detect the words, despite the added noise.
In doing so, Stiltwalker makes use of a number of security loopholes found in the reCAPTCHA system. Adam further writes, “The majority of the time, we can look at the challenge and not do any computation at all. It takes less than a second to get an answer with the MD5 solver.”
The hackers who had come up with this new tool had plans of demonstrating the tool at a presentation at Layer One security conference. However, just hours ahead of their presentation, Google revamped the whole security mechanism of reCAPTCHA. The new mechanism now furnishes ten words and has added noise of human voice making unintelligible sounds in the background.
Whereas Google refuses to acknowledge it revamped the reCAPTCHA system due to Stiltwalker, the hackers who created the tool are skeptical and believe that Google had been tipped off about it.
According to Google, “”We took swift action to fix a vulnerability that affected reCAPTCHA. and we aren’t aware of any abuse that used the techniques discovered. We’re continuing to study the vulnerability to prevent similar issues in the future. We’ve found reCAPTCHA to be far more resilient than other options while also striking a good balance with human usability. Even so, it’s good to bear in mind that while CAPTCHAs remain a powerful and effective tool for fighting abuse, they are best used in combination with other security technologies.”