A few days ago I was required to pass reCAPTCHA for many times. And I noticed that it's being accepted even if it's wrong. So, I decided to examine how accurately it works.
The result was sad :).
While Chad Houck and Jason Lee broke the captcha on DEF CON 18 it has another vulnerability.
I tested percentage of wrong accepting and some of them are shown below.
Distance | Accepted? | Right / Wrong | Image |
---|---|---|---|
1 | Y | gromor prolog gromor prolok | |
1 | Y | dentl anthony dentl anghony | |
2 | Y | any etiation anq etiotion | |
2 | Y | 121 cipansi 125 cipafsi | |
2 | Y | bilii three biliy threee | |
3 | Y | meolo scc meelo scoo | |
3 | Y | flowered crocc flaweted croqc |
You can see that accuracy is not very high. Codes with up to three errors were accepted almost all the time. Codes with four errors were accepted very rarely. Also I didn't notice that letter matching matters.
I haven't yet need to break Google's reCAPTCHA but I have already known one of its weakness. You can use it too - don't waste much your attention recognizing the words, like I did before I got this :).
No comments:
Post a Comment