Have CAPTCHAs been broken? Sort of…

Posted by jerry as Security

I just read this article about the Hannah Montana ticket debacle, and how it points to an apparent weakness is CAPTCHA.  Unfortunately, for CAPTCHA, the problem wasn’t some slick new algorithm designed by a miscreant that can reliably decipher the images, but rather establishing a network that grabs the CAPTCHA from one site, shoots it to a porn or warez we site that presents the same CAPTCHA to someone looking to score some boobies, who must answer the CAPTCHA before getting their prize.

It’s really quite clever, and I anticipate that the CAPTCHA breaking network will continue to mature, as we have seen with other malware.  Someone’s going to make a business case for hosting a service that has an input API that accepts an image, and returns the CAPTCHA text, and a similar API that presents the CAPTCHA much like an online ad, and accepts the CAPTCHA text as an input.  Sites that use the CAPTCHA and returned a “solution” are compensated in the same model as a click through for an online ad - think of it as adsense for bad people.  Except, it would be perfectly acceptable for the site owner to sit there all night and answer CAPTCHAs on his or her site, raking in the money.

On the other side, those looking to break the CAPTCHA would have to pay a small fee for a certain number of CAPTCHA credits.  The money would flow to the site owners, with the service owner keeping a service charge, of course.

 Honestly, that could spell the end for the widespread use of CAPTCHAs.  The only way to stop this is to make the CAPTCHA too difficult to read for a human, and that defeats the whole purpose.

So, in effect, CAPTCHA was broken without really breaking it.