Researcher cracks Yahoo CAPTCHA software

TechWorld.com - A security researcher has claimed that Yahoo Inc.'s system for blocking automated access to its systems -- the CAPTCHA image-recognition system -- has been effectively cracked.

CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) systems are used by Yahoo, as well as Google Inc., Microsoft Corp. and others, to stop automated systems from registering Web-based e-mail accounts, filling blog comments sections with spam and guessing passwords.

The systems typically present users with a series of characters that can be deciphered by humans, but not by image-recognition software.

Various implementations of automated CAPTCHA-cracking software have been developed, largely by spammers, but Yahoo's CAPTCHA system so far has been ranked as one of the toughest to crack.

For example, several Web sites selling CAPTCHA cracks for sites such as eBay said Yahoo's system was next to impossible to decode.

This week, however, a programmer using the pseudonym "John Wane" and claiming to be a Russian security researcher posted code for a decoder system that he said can attain an accuracy rate of about 35%.

The researcher said Yahoo had been notified about the problem but had not responded.

The decoder could be used by spammers to, for instance, register Yahoo e-mail accounts for spam purposes or to break through antispam features, the researcher said.

"It's not necessary to achieve a high degree of accuracy when designing automated recognition software," he wrote. "An accuracy of 15% is enough when attacker is able to run 100,000 tries per day."

In a statement, Yahoo said it is aware of attempts being made toward automated solutions for CAPTCHA images, and is working on improvements to the system and other defenses.

Last year, spammers used a virtual stripper as bait to dupe people into helping criminals crack CAPTCHA codes.

Security researchers warned that a series of photographs shows "Melissa" -- no relation to the 1999 worm by the same name -- with progressively fewer clothes and more skin each time the user correctly enters the characters in an accompanying CAPTCHA codes

Forrester Research Inc. said recently that spammers are increasingly using artificial intelligence tactics to get their junk delivered to e-mail users.

The booming image spam pandemic is merely the tip of the iceberg when it comes to spammers' use of AI, Forrester said.

The only way to prevent a repeat of the image spam surge as new models using AI come to light, Forrester analysts said, will be for technology vendors and their customers to abandon the current filtering-heavy approach and instead battle the roots of the problem.

Related Blog

Reprinted with permission from

For more enterprise technology news from the U.K., please visit TechWorld.com. Copyright 2006 IDG, all rights reserved.