back to article Google, Facebook's CAPTCHAs vanquished by security researchers

Google's and Facebook's CAPTCHA services have been defeated in research that successfully designed an automated system to solve the "are-you-human?" verification challenges. CAPTCHAS are designed to make life easier for trusted users and painful for bots, by presenting challenges that are difficult for software to crack. …

  1. tiggity Silver badge

    Beats me

    I'm sure they get a better success rate on captchas than me

    1. Anonymous Coward
      Anonymous Coward

      Re: Beats me

      Try not to be too smart. If it says click on all the trees, but one of them is technically a shrubbery, click that too. For road signs, it's the two squares primarily occupied with road sign.

      The shop front one is hard because the residential buildings seem to count.

    2. Anonymous Coward
      Anonymous Coward

      Re: Beats me

      Can someone turn this into a browser add-on to save us all the hassle of dealing with captchas?

  2. msknight

    It does suggest that developing systems that can recognise cats, might be of benefit to those who seek to defeat captchas that require the user to identify... cats.

    Hmmm....

  3. Charlie Clark Silver badge
    FAIL

    Subheadline

    Another middle class job gone as CAPTCHA-crackers beaten

    FFS El Reg how did this nonsense slip through? Is this just a very poor attempt at irony?

    1. wayne 8

      Re: Subheadline

      I was reading the article to find out about the middle class jobs solving CAPTCHA's. Sounds like a good gig.

      Not up to El Reg's pithy subheadline standards.

  4. Mike Shepherd

    "...no mechanism to prohibit...from a single IP address"

    I'm not an expert, but (as I understand it), NAT (particularly for mobile connections) places numerous devices on a single public (routeable) address. So insisting that each user have a different IP address would block many legitimate users.

    1. Anonymous Coward
      Joke

      Re: "...no mechanism to prohibit...from a single IP address"

      > I'm not an expert, but (as I understand it), NAT (particularly for mobile connections) places numerous devices on a single public (routeable) address. So insisting that each user have a different IP address would block many legitimate users.

      And the problem is...?

      Another anti-bot technique is to impose rate limits. Limiting Facebook, Twitter, Instagram etc users to, say, one post per month should solve any bot problem.

  5. handle

    Can you solve this Captcha?

    "They were also able to spin up a virtual host that assumed the necessary identifying criteria of a legitimate user and could then generate clean cookies to solve CAPTCHAs out of the normal bounds."

    I'm trying to make sense of this sentence, and I'm a human being (I think).

    1. allthecoolshortnamesweretaken

      Re: Can you solve this Captcha?

      Did you take the Turing test?

      1. Stevie

        Re: Did you take the Turing test?

        I did. Turns out I'm not Alan Turing.

    2. Mike Shepherd
      Meh

      Re: Can you solve this Captcha?

      Hey, get with the flow. Nothing has to mean anything now. You just have to impress until people nod.

    3. Primus Secundus Tertius

      Re: Can you solve this Captcha?

      It looks like a press release edited by an arts graduate who can manipulate words but not grasp their meaning.

    4. Jason Bloomberg Silver badge

      Re: Can you solve this Captcha?

      "All our articles are generated using DevOps"

  6. EveryTime

    I don't get why this is more than academically interesting.

    Spammers are willing to spend money on humans to solve trivial problems. CAPTCHAs should only be one element in a broader set of protections.

    As an example, Yahoo financial message boards. No regular user registers, then immediately proceeds to post 100 messages to 100 different boards separated by only a few seconds. A CAPTCHA per posting won't block this spam. Analyzing behavior will quickly shut it down.

  7. Herby

    Why not try ...

    Exponential rate limiting. Start over at a random time of the day. If the user input is supposed to be typed, measure the time it takes for a reasonable typist to enter the comment (or whatever). Go from there. Display a clock if you must allow for cutting and pasting, but double up on the time out period.

    Yes, they are a pain. I doubt that the google people can solve all of them accurately.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like