Yahoo CAPTCHA Hacked

Hell Yeah! reminds us of a 2-week-old development that somehow escaped notice here. A team of Russian hackers has found a way to decipher a Yahoo CAPTCHA, thought to be one of the most difficult, with 35% accuracy. The Russian group's notice, posted by one "John Wane," is dated January 16. This site hosts a rapidshare link to what looks to be demonstration software for Windows, and quotes the Russian researchers: "It's not necessary to achieve high degree of accuracy when designing automated recognition software. The accuracy of 15% is enough when attacker is able to run 100,000 tries per day, taking into the consideration the price of not automated recognition — one cent per one CAPTCHA."

The CAPTCHA security system that Yahoo, and many other email service providers adopt to prevent spam, may not be secure, according to Russian security researchers. The researchers claim to have found a way in which the security system can be compromised. This would result in a huge increase in spam coming from yahoo and other email accounts.


CAPTCHA, which stands for Completely Automated Public Turing test to tell Computers and Humans Apart, is a technique adopted by Yahoo, Google, andMicrosoft ( News - Alert) among other service providers to prevent automated software programs from posing as humans and signing up for new accounts. It presents text that is easy for humans to comprehend but difficult for automated programs and as a result protects Web sites from bots. The first CAPTCHA was invented at the Carnegie Mellon University to be used by Yahoo. CAPTCHAs have other applications like preserving the authenticity in online polls, preventing comment spam in blogs and preventing dictionary attacks in password systems among others.

E-mail service providers are finding improved techniques to solve security issues and provide a robust service to users. While most email service providers use CAPTCHA, the scheme used by the top email service providers are considered to be difficult for machines to recognize. If the claim by the Russian security researcher who identifies himself as "John Wane," is true, Yahoo and the other email service providers may have to speedup up their research and find better ways to improve their defense mechanisms and protect themselves from spam and other malicious software.

Few months ago, we received information that [a] Yahoo CAPTCHA recognition system exists in the wild with the recognition rate about 30 percent," Wane says in a blog post. "So we decided to conduct few experiments. We explored Yahoo CAPTCHA and designed a similar system with even better recognition rate (about 35 percent)."

"We are aware of attempts being made toward automated solutions for CAPTCHA images and continue to work on improvements as well as other defenses," a Yahoo spokesperson said in an e-mailed statement.

John Orbeton, strategic product manager, IronPort, said that if the software works, "it could be used for spam. It could be used for phishing. It depends on the motivation of the attacker." The claimed rate of success, 35 percent, he said, "could create a fairly significant number of e-mail accounts." It is ironic, Orbeton added, that image-recognition technology, which is being used to defend against the current generation of image spam, should be used by spammers to create more spam.

Not that there's any shortage of the stuff. "In 2007 we saw spam volumes increase 100 percent," Orbeton said. "That comes out to around 20 spam messages per day for everyone on the planet, whether they have e-mail or not."

The vulnerability of the defense mechanisms adopted by service providers is high since automated programs run many thousand trials per day and can find ways to break into systems that do not have offer a high degree of accuracy.