Gmail’s CAPTCHA Cracked

It has emerged, not long after a group of hackers cracked the Windows Live Mail’s CAPTCHA, Google’s Gmail CAPTCHA has also been hacked (possibly by the same group).

Hacking Gmail is a huge scalp for the hackers, it gives them:

  • use of the gmail.com domain name — a domain name that is unlikely to be blacklisted by spam filters.
  • access to a wide range of Google services
  • hacker kudos

Not to mention; due to the volume of Gmail users – they are going to be hard to track.

Should we worry about this?

Yes and no.

Google will undoubtedly fix the immediate threat, but the bigger issue is that CAPTCHAs are being hacked more and more successfully. For instance, since July 2007 the HotLan Trojan has created more than 500,000 spam email accounts with Hotmail, Yahoo! and Gmail.

With no end in sight for the arms race between the hackers and developers. CAPTCHA’s days seem numbered, (I for one would be happy to see the death of the CAPTCHA [as it currently stands]). But, what will be the next solution?

What methods are developers going to have to introduce to combat the hackers?

KittenAuth? And ultimately are all attempts to prove your human in an electronic arena bound to fail?

Free book: Jump Start HTML5 Basics

Grab a free copy of one our latest ebooks! Packed with hints and tips on HTML5's most powerful new features.

  • Python

    I agree that the Captcha technique is a bit dated now. But what other alternatives are there? The new solution needs to be easy and intuitive to use but remain as secure as possible.

    Regards
    Michael M.

  • http://ian.sundermedia.com TheLunchBox

    While KittenAuth is a little too silly for widespread use it does demonstrate a solution. It provides an image based human recognition system that’s not based on text. Any text that a person can read can probably be read by a computer.

    However, authentication that requires comprehension could be used. Recognizing an animal from a photo or counting a specific shape could work.

  • http://www.sitepoint.com AlexW

    However, authentication that requires comprehension could be used. Recognizing an animal from a photo or counting a specific shape could work.

    I’m not so sure about that.

    Firstly, ‘how many kittens in this picture?’ assumes you can see the picture. Not exactly accessibility heaven.

    Secondly the questions can never be too difficult to answer or you’ll start to exclude people who might have reading, cognitive or learning difficulties — so the answers need to be relatively simple stuff like ‘red’, ‘five’ and ‘puppy’.

    I like the chances of someone writing a bot that tries the few hundred best guesstimates it has for a given question, and then records that question/answer pair to a central DB. From then on, every time it comes across that same question it’s much less resource intensive than any normal CAPTCHA. Unless there is a bottomless well of new questions, I can only see it slowing them down slightly until the database is populated.

    For instance, there are only so many practical answers to any question that starts with ‘How many..’ You can’t expect a user to correctly count 75 chickens.

    ‘What’ question are slightly more open-ended, but I don’t think it’s as unfathomable as people think.

  • Bill_Stanbrook

    However, authentication that requires comprehension could be used. Recognizing an animal from a photo or counting a specific shape could work.

    I’ve considered using that approach, but I can see some issues with it depending on how the user supplies the correct response. If they select an answer from multiple choices, then the hacker could simply play the percentages by selecting an answer at random, and working with whatever percentage of successful entries were returned. If the user was required to type the answer in a text box, then you have issues with the fact that half the people on the internet can’t spell worth a damn.

  • http://ian.sundermedia.com TheLunchBox

    Both valid points. Hopefully the bright guys at Google come up with something.

    In the meantime, feel free to use this amazingly simple and elegant system I’ve designed.

  • http://ian.sundermedia.com TheLunchBox

    Whoops, forgot the link

    http://sundermedia.com/human/

  • http://scythe.hu szigeti

    @TheLunchBox
    Your amazingly simple, yet rather annoying system thinks that I am only 12% human. I don’t think I’ll be back.

  • http://ian.sundermedia.com TheLunchBox

    @szigeti:

    Sorry, I don’t accept advice from robots. :)

  • Shazalakadze

    I think that some people who posted above don’t even know how captcha is bypassed, but they still comment on issue. Weird.

  • http://www.mikedesign.net/ mauteri

    @Shazaiakadze

    Actually, I was kind of wondering how captcha is bypassed…

  • fproof

    Then how long will it take before they crack the widely used reCAPTCHA as well…

  • http://ian.sundermedia.com TheLunchBox

    @Shazalakadze:

    That makes sense, I’m sure image recognition is trickier than other ways. Do you know how they did it? A little knowledge about how they did it might help us have a better dialog about how to stop it.

    BTW: I still stand by my human test.

  • Shazalakadze

    It goes something like this:
    somebody comes to website (usually porn or sth), where he surfs trough and gets to kind of video/pic (prog underneath) showing some babe (blond i guess ;) and captcha under it, and he is called to enter correctly what the captcha is representing (to get babe striped) and his input is used for making account or whatever on site the captcha is grabbed from in the real time. This is something like simultaneous action. And after correct input he gets more, and more and… finally he gets babe striped off completely.
    I hope you got basics. ;)

    PS Its all about human factor

  • http://www.mikehealy.com.au cranial-bore

    In other words those trying to break a captcha “pass it on” to a real human on a website they run and use the human answer provided to sign up for their Gmail account.
    The same technique could be used to scrape a registration form for “What is” style questions too.

  • Shazalakadze

    @cranial-bore
    Exactly