A trio of security researchers have devised a new automated attack that can break the CAPTCHA systems employed by Google and Facebook.

The researchers utilized a large number of factors in putting together their attack, leveraging tricks to bypass CAPTCHA security measures (cookies, tokens) and machine learning to "guess" the correct (image) CAPTCHA answer with a higher degree of accuracy than previous studies.

Experiment achieves very high accuracy

The results of this new attack were better than they expected. On Google's reCAPTCHA system, researchers recorded a 70.78 percent success rate over 2,235 CAPTCHAs. Average CAPTCHA solving time was 19.2 seconds.

They achieved a better success rate on Facebook's system, where they had a success rate of 83.5 percent on over 200 CAPTCHAs.

The better accuracy for solving Facebook CAPTCHAS stems from the fact that the social network uses images with a higher resolution, and also depicts objects from distinct categories. Google, on the other hand, uses low-quality photos, always related to each other, which makes automatic image classification much harder.

Taking into account that attackers can rent CAPTCHA-breaking systems that use human operators to solve CAPTCHAs, the researchers also analyzed the economics needed to plan and run their attack.

New automated attack is also economically viable

If crooks ever wanted to start their own CAPTCHA-busting business, the whole attack would cost only $110 (€96) a day, per IP address, and would allow them to crack around 63,000 CAPTCHAs in 24 hours from one IP address without being detected and getting banned.

"Our completely offline captcha-breaking system is comparable to a professional solving service in both accuracy and attack duration, with the added benefit of not incurring any cost on the attacker," researchers explained.

Before going public with their research, Google and Facebook were contacted with the study's findings. Researchers said that Google took some steps to harden reCAPTCHA, but Facebook has not replied with any changes they've made to their CAPTCHA system.

Suphannee Sivakorn, Jason Polakis, and Angelos D. Keromytis are the three experts behind this research. Their paper called I Am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs, is available Columbia University's Department of Computer Science website. Another copy is also available via the Black Hat Asia 2016 website, where the researcher presented their work last week.

UPDATE: Google reached out to Softpedia and provided the following statement, reassuring its users that it strengthened reCAPTCHA when made aware of the study's findings.

“ We're regularly in touch with the security research community and we appreciate their contributions to the safety of reCAPTCHA and other Google products. The Columbia University researchers notified us about this issue in May 2015 and we've since strengthened reCAPTCHA's protections based on their findings and our own studies. ”