Saturday, March 19, 2011

reCAPTCHA Recognition

A few days ago I was required to pass reCAPTCHA for many times. And I noticed that it's being accepted even if it's wrong. So, I decided to examine how accurately it works.

The result was sad :).

While Chad Houck and Jason Lee broke the captcha on DEF CON 18 it has another vulnerability.

I tested percentage of wrong accepting and some of them are shown below.

Distance Accepted? Right / Wrong Image
1 Y gromor prolog
gromor prolok
1 Y dentl anthony
dentl anghony
2 Y any etiation
anq etiotion
2 Y 121 cipansi
125 cipafsi
2 Y bilii three
biliy threee
3 Y meolo scc
meelo scoo
3 Y flowered crocc
flaweted croqc

You can see that accuracy is not very high. Codes with up to three errors were accepted almost all the time. Codes with four errors were accepted very rarely. Also I didn't notice that letter matching matters.

I haven't yet need to break Google's reCAPTCHA but I have already known one of its weakness. You can use it too - don't waste much your attention recognizing the words, like I did before I got this :).