A trio of security researchers have devised a new automated attack that can break the CAPTCHA systems employed by Google and Facebook.
The researchers utilized a large number of factors in putting together their attack, leveraging tricks to bypass CAPTCHA security measures (cookies, tokens) and machine learning to "guess" the correct (image) CAPTCHA answer with a higher degree of accuracy than previous studies.
Experiment achieves very high accuracy
The results of this new attack were better than they expected. On Google's reCAPTCHA system, researchers recorded a 70.78 percent success rate over 2,235 CAPTCHAs. Average CAPTCHA solving time was 19.2 seconds.
They achieved a better success rate on Facebook's system, where they had a success rate of 83.5 percent on over 200 CAPTCHAs.
The better accuracy for solving Facebook CAPTCHAS stems from the fact that the social network uses images with a higher resolution, and also depicts objects from distinct categories. Google, on the other hand, uses low-quality photos, always related to each other, which makes automatic image classification much harder.
