Stanford Software Cracks Most Captchas

We can't escape them: from eBay and Facebook to Google, Visa and Wikipedia, Captchas are everywhere, a necessary evil. We struggle to type the slanted, blurry and often-indecipherable nonsense phrases to prove that we're human, and not a computer-automated spam bot trying to break into a sensitive network. Unfortunately for the websites that rely on Captchas, a Stanford University research team has developed a tool that proves some Captchas to be entirely worthless.

The researchers created Decaptcha, a decoding tool that cleans up tilted, blurry, heavily-pixelated Captchas and splits, or segments, the text into easily readable letters and numbers a computer can understand.

The team pitted Decaptcha and its obfuscation-cracking capabilities against the Captcha systems from 15 major websites, including CNN, Digg, eBay, Visa's Authorize.net payment site, Slashdot and Captcha.net. Decaptcha came out on top against Authorize.net (Decaptcha decoded 66 percent of its Captchas), World of Warcraft maker Blizzard Entertainment (70 percent), Megaupload (93 percent) and Captcha.com (73 percent). The team wrote that any Captcha that can be decoded by machines more than 1 percent of the time indicates that it is broken.

Though its success rates weren't as high against the other test sites, Decaptcha still decoded 43 percent of eBay's Captchas, 42 percent of Reddit's, 35 percent of Slashdot's and 25 percent of Wikipedia's.

"In spite of their importance, their extremely widespread use, and a growing number of research studies, there is currently no systematic methodology for designing or evaluating Captchas," researchers Elie Bursztein, Matthieu Martin and John C. Mitchell wrote in their paper, "Text-based CAPTCHA Strengths and Weaknesses." "Many popular websites still rely on schemes that are vulnerable to automated attacks."

Only Google and ReCaptcha withstood the team's decoding techniques. Decaptcha's success rate against both systems was 0 percent. ReCaptcha, CNET said, is used by more than 100,000 websites, including Facebook, Twitter, Craigslist, Ticketmaster and Microsoft. (Google owns ReCaptcha, and offers it free to anyone.)

The research team said it has no plans to release Decaptcha, and said it created the decoding tool only to help companies increase their security.

SecurityNewsDaily Staff Writer