A few days ago I was required to pass reCAPTCHA for many times. And I noticed that it's being accepted even if it's wrong. So, I decided to examine how accurately it works.
The result was sad :).
While Chad Houck and Jason Lee broke the captcha on DEF CON 18 it has another vulnerability.
I tested percentage of wrong accepting and some of them are shown below.
| Distance | Accepted? | Right / Wrong | Image |
|---|---|---|---|
| 1 | Y | gromor prolog gromor prolok | 
|
| 1 | Y | dentl anthony dentl anghony | 
|
| 2 | Y | any etiation anq etiotion | 
|
| 2 | Y | 121 cipansi 125 cipafsi | 
|
| 2 | Y | bilii three biliy threee | 
|
| 3 | Y | meolo scc meelo scoo | 
|
| 3 | Y | flowered crocc flaweted croqc | 
|
You can see that accuracy is not very high. Codes with up to three errors were accepted almost all the time. Codes with four errors were accepted very rarely. Also I didn't notice that letter matching matters.
I haven't yet need to break Google's reCAPTCHA but I have already known one of its weakness. You can use it too - don't waste much your attention recognizing the words, like I did before I got this :).