Stanford researchers outsmart captcha codes

Stanford researchers outsmart captcha codes
Real schemes learnability: Accuracy of Decaptcha using KNN vs the size of the training set. Logarithmic scale. Image: Elie Bursztein, Stanford University

( -- Stanford researchers say that captcha security codes, asking Internet sign-up users to repeat a string of letters to prove the users are human, can be thwarted, and they have successfully defeated captcha at big name sites such as Visa, CNN, and eBay as proof. In fact, they found that thirteen out of 15 high-profile sites were vulnerable to automated attacks.

Captcha stands for Completely Automated Public Turing Test to tell Computers and Humans Apart. This is a test that a Carnegie Mellon University computer science graduate student and his advisor created in 2000 as a security to safeguard web sites from automated bot attacks and spammers.

Simply put, the test was supposed to be passable by humans, not machines. The Stanford team, however, found that its own anti-spam tool-breaker was able to kill off captcha’s protective cover.

The researchers Elie Bursztein, a postdoctoral researcher at the Stanford Security Laboratory, Matthieu Martin, and John C. Mitchell were able to crack the codes. In their study, they note that site owners should be taking a closer look at their captchas:

“As we substantiate by thorough study, many popular websites still rely on schemes that are vulnerable to automated attacks. For example, our automated Decaptcha tool breaks the Wikipedia scheme... approximately 25% of the time. 13 out of 15 of the most widely used current schemes are similarly vulnerable to automated attack by our tool. Therefore, there is a clear need for a comprehensive set of design and testing principles that will lead to more robust captchas.”

The Stanford automated tool, Decaptcha, involved removal of image background noise and breaking text strings into single characters for easier recognition. This tool was run in selected websites. Visa's payment gateway was defeated 66 per cent of the time. eBay's captcha was sidestepped 43 per cent of the time. Lower thwart rates were recorded at Wikipedia, Digg and .

Google and reCAPTCHA were the only two that beat out the Stanford team’s automated tool--no gotchas for either one.

Interestingly, reCAPTCHA also has its roots at Carnegie Mellon, and it was developed as a step up from captcha. The reCAPTCHA project sought further protective distortions with random warping and lines for something that would be readable by humans but more complex.In 2009, Google acquired reCAPTCHA.

As for other sites using captcha, the three researchers in their paper suggest various ways that can be harder to outsmart.The Stanford team presented results of their research last month at the CCS 2011 (the ACM Conference on Computer and Communication Security) in Chicago.

What’s more, Visa’s and Digg have switched to reCAPTCHA since these tests were performed.

More information: Report: … s-and-weaknesses.pdf

© 2011

Citation: Stanford researchers outsmart captcha codes (2011, November 3) retrieved 21 July 2024 from
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Stanford computer scientists find Internet security flaw


Feedback to editors