Yahoo! CAPTCHA Cracked

January 30, 2008 by PatB | 4 comments

By PatB
Contributing Writer, [GAS]

According to experts, one of the strongest implementations of CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) out there is owned by Yahoo!. Last week, Russian hackers cracked the CAPTCHA by achieving a 35% recognition rate of CAPTCHA images by an automated system.

According to the Hacker Webzine here,

Let there be no mistake: the CAPTCHA that Yahoo! deploys is believed one of the most difficult CAPTCHA’s to crack. It utilizes bended alpha numeric characters and other features you might expect from a strong CAPTCHA, and still it’s easy to solve by humans. I think this is a great leap in character recognition and the death punch to the CAPTCHA

The hacker said that only a 15% recognition rate is needed to become economically viable to intruders at 100,000 guesses per day, versus the going rate for human CAPTCHA recognition, which is a penny per decode. At 35% accuracy, automatic locking features designed to prevent guessing at 3 tries is defeated as well.

The hacker claimed to have notified Yahoo! of the issue, but released his cracking code onto filesharing networks anyways. From Computerworld here:

This week a programmer using the pseudonym “John Wane” and claiming to be a Russian security researcher posted code for a decoder system that he said can attain an accuracy rate of about 35%.

In a statement, Yahoo said it is aware of attempts being made toward automated solutions for CAPTCHA images, and is working on improvements to the system and other defenses.

The obvious impact of this security defeat is that more free email addresses can be automatically registered for phishing, spam, and fraud. Other online resources are threatened as well, such as blog spam prevention and commenting, online purchases of goods, or even concert booking and ticketing.

Sharing is Sexy!