Gmail CAPTCHA system cracked by spammers

Filed under: Business, Web services, Google

Gmail CAPTCHA system cracked by spammers

by Simon Kerbel Feb 27th 2008

The end is nigh.

Days after the Windows Live Mail CAPTCHA system was cracked by spammers, reports state that the Gmail CAPTCHA system has fallen as well.

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Ever signed up for an email or forum account, and been required to enter in a group of characters? That's a CAPTCHA system.

Folks are calling this hack the most sophisticated they have seen to date. Whereas cracking Windows Live Mail CAPTCHA required one compromised host, cracking Gmail took the combined efforts of two hosts. And because of Gmail's more sophisticated CAPTCHA system, only one in five breaking requests succeed.

While one in five doesn't sound like much, keep in mind that Spambots are constantly working at registering hundreds of email addresses at a time, 24/7. These Spambots can't be bargained with. They can't be reasoned with. They don't feel pity, or remorse, or fear. And they absolutely will not stop, ever, until you are dead.

Oh, wait, that's another bot we're thinking of...

So for all the spammer's effort, what are they getting in return?

They gain access to Google's wide portfolio of services
They gain an address whose domain is highly unlikely to be blacklisted, helping them defeat one aspect of anti-spam defenses.
Gmail also has the benefit of being free to use.
Because Gmail has millions of users, it makes the spammers harder to track.

It might be time to invest in that underground bunker you've had your eye on.

[via ars technica]

Tags: CAPTCHA, gmail, spam

Reader Comments (Page 1 of 1)

zatrix said 4:55PM on 2-27-2008

As somebody who has undertaken the feat of defeating captchas for education purposes I salute the spammers. That was likely no easy task.

will said 5:41PM on 2-27-2008

I think if they used a picture system, it'd be harder to crack. Like display a picture of an apple, and ask the user what is the picture of.

If someone doesn't know what an apple is, they don't deserve to use the service.

RP said 12:07AM on 2-28-2008

You mean like an apple MacBook air or something? j/k :-)

I guess as long as they accept answers in all languages, it should work.

kingkool68 said 9:54AM on 2-28-2008

A picture system would not be as effective due to the limited number of possibilities. Plus it would require a lot more human effort on the backend to come up with pictures/correct answers compared to a computer script of contorted numbers and letters.

Everyone interested in Captchas should listen to Security Now Episode #103 where Steve Gibson talks in depth about the problem -> http://media.grc.com/sn/SN-101.mp3

lagartoflojo said 6:18PM on 2-27-2008

@will
You are assuming that everyone speaks the same language.

Nate said 6:20PM on 2-27-2008

To Will: But how many pictures can they hold? I mean with random text and numbers billions of combinations can be created. While with the picture system, pictures must be either found or taken, then listed as what they are. Limiting the potetial of the system because the spammer could just make a bitmap of every CAPTCHA due to the smaller amount of them and have it compared to the current image, a resource intensive process, yes, but an easy crack.

Marshall said 8:13PM on 2-27-2008

If they took the images that had gone through Google Image Labeler http://images.google.com/imagelabeler/ , there would already be a list of words associated with the image, so you wouldn't have to get the exact word that one person thought described the picture.

Suddenly you have a huge pool of pictures to choose from, and more than one word for each.

Nate said 8:37PM on 2-27-2008

@Marshall

Hmm, didn't know that existed. I guess you learn something new everyday.

kingkool68 said 8:05PM on 2-27-2008

Gmail should up the requirements for signing up with their e-mail accounts by stronger identity verification system. After all, Gmail isn't like any old fad website, it's the center of your web life.

I'm not worried, Google has got a lot of smart people who can work up something more robust.

RP said 12:08AM on 2-28-2008

During the invitation-only phase, didn't they require a cell phone #, to which they would send an SMS message?

How hard would that be to do again?

michael said 12:32AM on 2-28-2008

This obviously disproves some loyal Gmail users saying that Gmail is absolutely the best and invincible web mail. Just kidding.

But obviously, Gmail has it's own issues as well. I wonder how they'll fix this.

Featured Time Waster

Civiballs is a beautiful, soothing physics puzzle Time Waster

I have an absolute weakness for physics games, and while Civiballs isn't the strongest physics-based game, what it lacks in the physics department it makes up for a few times over in style and fun.

In Civiballs, you are presented with a few colored balls, and your goal is to get those balls into the same-colored urn on the level. The "civi" part of Civiballs is that there are 3 sets of levels to play, each representing a different civilization. While the civilization doesn't affect gameplay, the artwork for each level is beautifully themed to it's appropriate era.

To play the game, you are given only one tool - a sword with which to cut the chains that are holding the balls. The puzzle part of the game is in figuring out what order, and with what timing to cut each chain. Do it right, and all the right balls end up in the right urns, with no stray balls entering an urn (a no-no). Do it wrong, and you get to start over again.

Civiballs is not terribly deep on gameplay; the entire game can be completed in about 15 minutes. But if you enjoy this type of game, it will be a very enjoyable 15 minutes.

View more Time Wasters