New automated attack that can break Google reCAPTCHA system

  • 571

A group of security researchers has created a new automated attack that can break the CAPTCHA systems hired by Google and Facebook. The result of this experiment were better than they expected.

According to researchers result on Google’s reCAPTCHA system, the result was 70.78% success rate over 2,235 CAPTCHA’s and the CAPTCHA solving time was 19.2 seconds. On Facebook’s CAPTCHA system, the result was 83.5% success rate over 200 CAPTCHAs.

The attackers can rent CAPTCHA-breaking systems that solves CAPTCHA with the use of a human. Any hacker can start their own CAPTCHA-busting business, the whole system would cost aroudn $110/day with one IP address only, which will solve nearly 63,000 CAPTCHAs in 24 hours from one IP address without being banned or getting detected.

Facebook CAPTCHA system was easy to solve compared to Google CAPTCHA, as Facebook CAPTCHA system use images with higher resolution and Google use low-quality photos, which makes the system harder to solve the CAPTCHAs.

According to researcher said that, “Our completely offline captcha-breaking system is comparable to a professional solving service in both accuracy and attack duration, with the added benefit of not incurring any cost on the attacker.”

Before posting their result to the public, the three expert researchers Suphannee Sivakorn, Jason Polakis, and Angelos D. Keromytis, contacted Google and Facebook to submit their result. Google made some changes to harden reCAPTCHA, but Facebook has no replied.

These researchers presented their works last week in Columbia University’s Department of Computer Science website called  I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs


Unallocated Author

Please note that the article you are reading has an unallocated author as the original author is no longer employed at, this has been put in place to adhere with general data protection regulations (GDPR). If you have any further queries, please contact: [email protected]

One thought on “New automated attack that can break Google reCAPTCHA system

  • Avatar
    April 9, 2016 at 12:11 pm

    Is the Google’s reCAPTCHA version 2 concerned?
    Thank you

Comments are closed.

Do NOT follow this link or you will be banned from the site!