Researchers Devise Scalable Attack Against Google, Facebook reCaptcha

A group of security researchers has discovered vulnerabilities in the reCaptcha systems of Google and Facebook, and have created an attack that is highly successful at automatically bypassing the protection system.

According to the researchers, they discovered flaws that would allow an attacker to easily influence risk analysis, bypass restrictions, and deploy large-scale attacks. Furthermore, they managed to design their attack based on deep learning technologies for the “semantic annotation of images” and say that it is as effective, or even more effective, than existing captcha-solving services.

In their paper, Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis from the Department of Computer Science at Columbia University, also propose a series of safeguards and modifications to make similar attacks less efficient and more costly.

The research focused on Google’s reCaptcha system, which is based on “advanced risk analysis,” meaning that it evaluates requests to determine the difficulty of returned captcha. When tested in offline mode, the captcha-breaking system returned a 41.57 percent accuracy at 20.9 seconds per challenge.

The attack against 2,235 Google captchas was able to automatically solve 70.78 percent of the image reCaptcha challenges, at a rate of 19 seconds per challenge. Although focused on reCaptcha, the attack can be leveraged against other systems as well, and researchers tested it on Facebook’s new image captcha, where they achieved an accuracy of 83.5 percent on 200 images.

The lower accuracy when dealing with Google reCaptcha was due to the Internet giant using low-quality photos, some of which weren’t even distinguishable for the human eye. Facebook, on the other hand, uses high-resolution images, which are easier to analyze to break the captcha.

After determining the system’s accuracy, the researchers started comparing it with other captcha-breakers to assess its cost efficiency. The system proved superior to Decaptcher, an image-captcha decipher that charges $2 per 1000 solved captchas, but has only a 44.3 percent accuracy.

When checkbox captcha was considered, at a selling price of $2 per 1,000 solved captchas, the token harvesting attack could accrue $104 – $110 daily, per IP address. “By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine,” researchers say.

While testing the scale of their system against checkbox captchas, researchers observed that they could run a rate of 1,200 requests per hour without being blocked. They could also peak at 2,500, while reaching between 52,000 and 55,000 requests per day, higher during weekend days.

According to the researchers, they disclosed their findings to Google, which made a series of modification to reCaptcha’s safeguards and risk analysis process. Facebook was also informed on the discovered issues, but the company has not announced any changes to its captcha system.

Related: SMS Trojan Uses Image Recognition Service to Solve CAPTCHAs

Related: FBI Says Leaky CAPTCHA Was Used to Locate Silk Road Server