Connect with us

Hi, what are you looking for?


Application Security

Researchers Devise Scalable Attack Against Google, Facebook reCaptcha

A group of security researchers has discovered vulnerabilities in the reCaptcha systems of Google and Facebook, and have created an attack that is highly successful at automatically bypassing the protection system.

A group of security researchers has discovered vulnerabilities in the reCaptcha systems of Google and Facebook, and have created an attack that is highly successful at automatically bypassing the protection system.

According to the researchers, they discovered flaws that would allow an attacker to easily influence risk analysis, bypass restrictions, and deploy large-scale attacks. Furthermore, they managed to design their attack based on deep learning technologies for the “semantic annotation of images” and say that it is as effective, or even more effective, than existing captcha-solving services.

In their paper, Suphannee Sivakorn, Iasonas Polakis, and Angelos D. Keromytis from the Department of Computer Science at Columbia University, also propose a series of safeguards and modifications to make similar attacks less efficient and more costly.

The research focused on Google’s reCaptcha system, which is based on “advanced risk analysis,” meaning that it evaluates requests to determine the difficulty of returned captcha. When tested in offline mode, the captcha-breaking system returned a 41.57 percent accuracy at 20.9 seconds per challenge.

The attack against 2,235 Google captchas was able to automatically solve 70.78 percent of the image reCaptcha challenges, at a rate of 19 seconds per challenge. Although focused on reCaptcha, the attack can be leveraged against other systems as well, and researchers tested it on Facebook’s new image captcha, where they achieved an accuracy of 83.5 percent on 200 images.

The lower accuracy when dealing with Google reCaptcha was due to the Internet giant using low-quality photos, some of which weren’t even distinguishable for the human eye. Facebook, on the other hand, uses high-resolution images, which are easier to analyze to break the captcha.

After determining the system’s accuracy, the researchers started comparing it with other captcha-breakers to assess its cost efficiency. The system proved superior to Decaptcher, an image-captcha decipher that charges $2 per 1000 solved captchas, but has only a 44.3 percent accuracy.

When checkbox captcha was considered, at a selling price of $2 per 1,000 solved captchas, the token harvesting attack could accrue $104 – $110 daily, per IP address. “By leveraging proxy services and running multiple attacks in parallel, this amount could be significantly higher for a single machine,” researchers say.

Advertisement. Scroll to continue reading.

While testing the scale of their system against checkbox captchas, researchers observed that they could run a rate of 1,200 requests per hour without being blocked. They could also peak at 2,500, while reaching between 52,000 and 55,000 requests per day, higher during weekend days.

According to the researchers, they disclosed their findings to Google, which made a series of modification to reCaptcha’s safeguards and risk analysis process. Facebook was also informed on the discovered issues, but the company has not announced any changes to its captcha system.

Related: SMS Trojan Uses Image Recognition Service to Solve CAPTCHAs

Related: FBI Says Leaky CAPTCHA Was Used to Locate Silk Road Server

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...