The Gmail CAPTCHA has been cracked—albeit not easily—raising new concerns about spammers' ability to abuse Google's e-mail services. Websense Security Labs pointed out the security breach late last week, noting that spammers have a lot to gain by being able to use bots to automatically sign up for new accounts.

Google's free e-mail services and a highly-desirable gmail.com domain—one that is unlikely to be blacklisted by anybody's spam filters—are just two of the features that induced spammers to crack the CAPTCHA and have bots do all the work. On the upside, it apparently wasn't easy—Websense says that it required two bot hosts to crack instead of just the one that recently cracked Windows Live Mail's CAPTCHA (Websense believes that the same group was involved with both). It also believes that the two hosts are required because the first host may fail at cracking the code the first time around (and possibly time out), but the second host may also be required to check the work of the first. Additionally, only one in every five CAPTCHA-breaking requests on Gmail succeeded. Still, a 20 percent success rate is relatively high when you consider that spambots are trying to register hundreds (or thousands) of e-mail addresses at a time.





Your typical CAPTCHA

The CAPTCHA test—Completely Automated Public Turing test to tell Computers and Humans Apart—is one we're all familiar with. When signing up for new services, we are often asked to decipher a series of letters and numbers embedded in an image that is supposed to be difficult for computers to read. But, while the CAPTCHA has worked well in the past, hackers are getting better at programming computers with the ability to read them.

That's why there has been some attention focused on creating stronger, harder-to-break CAPTCHAs. There are, of course, audio-based ones that read something aloud and require the user to enter it back into a text box. But there's also a more complex image-based CAPTCHA that requires the user to select a number of similar images before proceeding.

Of course, neither of these options are perfect, as the former doesn't take into account hard-of-hearing computer users, and the latter makes it all but impossible for blind users to sign up without assistance. But for now, there are few other options to block spammers from getting through while the traditional CAPTCHA continues to be cracked.

Further reading: