Google revamped its reCAPTCHA system, used to block automated scripts from abusing its online services, just hours before a trio of hackers unveiled a free system that defeats the widely used challenge-response tests with more than 99 percent accuracy.
Stiltwalker, as the trio dubbed its proof-of-concept attack, exploits weaknesses in the audio version of reCAPTCHA, which is used by Google, Facebook, Craigslist and some 200,000 other websites to confirm that humans and not scam-bots are creating online accounts. While previous hacks have also used computers to crack the Google-owned CAPTCHA (short for Completely Automated Public Turing test to tell Computers and Humans Apart) system, none have achieved Stiltwalker’s impressive success rate.
“The primary thing which makes Stiltwalker stand apart is the accuracy,” wrote Adam, one of the three hackers who devised the attack, in an e-mail. “According to the lead researcher from the Carnegie Mellon study, the system we attacked was believed to be ‘secure against automatic attack,'” he added, referring to this resume from a Carnegie Mellon University computer scientist credited with designing the audio CAPTCHA.
How a trio of hackers brought Google’s reCAPTCHA to its knees