14 DAY TRIAL // Google moved swiftly to fix a glaring security hole in the audio version of its reCAPTCHA service, which was publicly disclosed yesterday. The bug allowed anyone to easily beat the test by inputting a long-enough sequence of words.
CAPTCHA stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” and is a system meant to block abuse like comment spam or fake account registrations. The funadamental idea is to present users with a test that only humans are able to solve, before allowing them to perform an action.
reCAPTCHA is the most popular CAPTCHA implementation which is offered as a service by Google. Initially developed at Carnegie Mellon University's School of Computer Science, reCAPTCHA in currently used by countless of forums, blogs or other types of websites.
“Google's reCAPTCHA is currently broken. At the moment, you may follow these steps to complete a CAPTCHA without user-input: 1) Click the "Play Sound" button [...]; 2) Enter any sentence comprising of 10 words ("google google google google google google google google google google", as an example),” a user named Harry Strongburg wrote in an email sent to the full disclosure mailing list yesterday. However, according to reports posted on the reCAPTCHA Google group, typing any number of words higher than the ones in the sentence played by the audio test bypassed validation.
Google fixed the problem in a matter of hours, but it seems that the short attack window was enough for some forums to take some serious damage. “We've pushed a change which fixes the problem with the audio CAPTCHA. Thanks to everyone who brought it to our attention,” the reCAPTCHA team responded to the discussion on Google Groups.
Bugs like these can be very dangerous and its fortunate that Google moved so swiftly to address it before being abused on a larger scale. In order to register the fake accounts used to spam people with malicious messages on legit websites, cyber criminals sometimes use botnets designed specifically to solve CAPTCHAs.
You can follow the editor on Twitter @lconstantin