Google reCAPTCHA Fooled By Bot

CAPTCHA, or Completely Automated Procedures for Telling Computers and Humans Apart, was a system first theorized by cryptographer Alan Turing in 1950.  We find these little “I am not a robot” challenges popping up all over the place, especially when creating a new account, registering for a web service the first time, or sometimes as form of poor man’s two-factor authentication.  (Something I am? = I am not a robot)  Some of the simpler tests involved looking at an image of a word or two, and then typing the words into a text box.  These tests are supposed to distinguish between a human and a computer automated script or bot.

Google provides three different types of reCAPTCHA tests.  They are:

  • The Image Challenge – this is where you have to match all the pictures with a storefront, or all the pictures that contain signs.
  • The Text Challenge – when you have to pick all the phrases that match a certain category.
  • The Audio Challenge – this is when you select the microphone icon to have a word or set of numbers read to you, and then you enter them into a text box.

As it turns out, some of these Turing tests have been beaten by scripts and bots, and no longer truly secure against bots.  The irony is that some of Google’s own tools have made this possible.  Last year the image challenge fell to a bot that used Google Images to find which images in the challenge matched certain category words.

The latest bot works by requesting the audio challenge regardless of which test is presented, and then once the audio challenge is available, downloading the audio file and using Google’s speech recognition tools to translate into text, which the bot then enters in the text box.  For more technical details, see the Naked Security article below.

Google is working on an upgraded test called Invisible reCAPTCHA, that actually compares the mouse movements of a human to the movements that would be provided by a bot to distinguish between computers and humans.  If you are using a Google reCAPTCHA on your web site, you may want to upgrade a s soon as possible.

More information:

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment