Independent researcher Chad Houck recently released algorithms that can crack Google’s reCAPTCHA program, even after the company’s recent improvements to the security tool. Houck’s method uses a combination of his own algorithms, including one that decodes the ribboning protections reCAPTCHA uses to mask the words from software, optical-character recognition, and a dictionary attack. Houck says the weakness of the reCAPTCHA program is in the way it is designed. “Every time someone types the verification word correctly, [the program] assumes they also typed the digitization word correctly,” he says. Google strengthened the verification words in the program both before and after Houck’s paper was published, according to a Google spokesperson. “We’ve found reCAPTCHA to be far more resilient while also striking a good balance with human usability, and we’ve received very positive feedback from customers,” the spokesperson says. However, Houck says he has solved Google’s latest tweaks and claims that “all of their security features are flawed.”
culled from Dark Reading (08/18/10) Higgins, Kelly Jackson