Cracking Captchas

CAPTCHA is a type of challenge-response test used by website owners to tell humans and computers apart. Typically CAPTCHAs are introduced to prevent automation attacks such as SPAM, bulk registration, login bruteforce and automated re-authentication/re-authorization of sensitive operations. Today CAPTCHAs are used far and wide and are often the cause of everyday frustration.

Although CAPTCHAs are a common tool to fight unwanted automation and SPAM, by no means they are perfect. Traditionally CAPTCHA screens can be cracked with various techniques from sampling to using optical screen recognition. Though, due to recent advances in Machine Learning research, and readily available cloud APIs, the CAPTCHA has become almost an obsolete security measure.

Let's take the Google's Cloud Vision API for example. Using powerful machine learning models that provide data classification, detection of objects and ability to find printed words, we can easily process complex visual inputs with the aim to defeat the CAPTCHA. In the image below, you can see one such example.

While not perfect, we can still defeat an older version of Google's own reCAPTCHA too.

We can even defeat one of these CAPTCHAs which ask us to select images of a particular type. First, we detect what we need to do...

...and then we identify the pictures using the same API

This type of image classification technology is even more readily available in various commercial and open source off-the-shelf devices and software products. Even if you decide not to use Google's API, there are existing plug-and-play machine learning models that can be used in a black-box fashion but cloud APIs are easier and sometimes cheaper.