Connect with us

Hi, what are you looking for?


Application Security

Researchers Devise Scalable Attack Against Google, Facebook reCaptcha

A group of security researchers has discovered vulnerabilities in the reCaptcha systems of Google and Facebook, and have created an attack that is highly successful at automatically bypassing the protection system.

A group of security researchers has discovered vulnerabilities in the reCaptcha systems of Google and Facebook, and have created an attack that is highly successful at automatically bypassing the protection system.

According to the researchers, they discovered flaws that would allow an attacker to easily influence risk analysis, bypass restrictions, and deploy large-scale attacks. Furthermore, they managed to design their attack based on deep learning technologies for the “semantic annotation of images” and say that it is as effective, or even more effective, than existing captcha-solving services.

In their paper, Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis from the Department of Computer Science at Columbia University, also propose a series of safeguards and modifications to make similar attacks less efficient and more costly.

The research focused on Google’s reCaptcha system, which is based on “advanced risk analysis,” meaning that it evaluates requests to determine the difficulty of returned captcha. When tested in offline mode, the captcha-breaking system returned a 41.57 percent accuracy at 20.9 seconds per challenge.

The attack against 2,235 Google captchas was able to automatically solve 70.78 percent of the image reCaptcha challenges, at a rate of 19 seconds per challenge. Although focused on reCaptcha, the attack can be leveraged against other systems as well, and researchers tested it on Facebook’s new image captcha, where they achieved an accuracy of 83.5 percent on 200 images.

The lower accuracy when dealing with Google reCaptcha was due to the Internet giant using low-quality photos, some of which weren’t even distinguishable for the human eye. Facebook, on the other hand, uses high-resolution images, which are easier to analyze to break the captcha.

After determining the system’s accuracy, the researchers started comparing it with other captcha-breakers to assess its cost efficiency. The system proved superior to Decaptcher, an image-captcha decipher that charges $2 per 1000 solved captchas, but has only a 44.3 percent accuracy.

Advertisement. Scroll to continue reading.

When checkbox captcha was considered, at a selling price of $2 per 1,000 solved captchas, the token harvesting attack could accrue $104 – $110 daily, per IP address. “By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine,” researchers say.

While testing the scale of their system against checkbox captchas, researchers observed that they could run a rate of 1,200 requests per hour without being blocked. They could also peak at 2,500, while reaching between 52,000 and 55,000 requests per day, higher during weekend days.

According to the researchers, they disclosed their findings to Google, which made a series of modification to reCaptcha’s safeguards and risk analysis process. Facebook was also informed on the discovered issues, but the company has not announced any changes to its captcha system.

Related: SMS Trojan Uses Image Recognition Service to Solve CAPTCHAs

Related: FBI Says Leaky CAPTCHA Was Used to Locate Silk Road Server

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

While there are many routes to application security, bundles that allow security teams to quickly and easily secure applications and affect security posture in...