Google reCAPTCHA broken

Posted By Grant Forrest |  last update 09-Feb 2011

As I suspected, Google's reCAPTCHA anti-spambot system has been broken. There is a good discussion about it here and here.

I realised something was amiss when the SCATA forum started getting hit by 10-15 attempted spam registrations each day. I found it hard to believe that reCAPTCHA could be broken - the folks over at Google talk a good game when discussing how secure it is.

The ramifications are quite serious. Google use reCAPTCHA to prevent automated registrations for GMail. Now that it's broken, the botnets are having a ball. Gmail must be getting absolutely hammered. About 80% of the attempted registrations at the SCATA board were from Gmail accounts.

Over at the PHPBB3 forums, the advice seemed to be to go with the Q&A counter-spam measure rather than reCPATCHA. No surprise then that after switching the SCATA board to use Q&A, the bot registrations have ceased. Q&A is quite good fun - I had my 11 year-old son come up with a few questions and answers.

I have a lot of reCAPTCHAs deployed on various pages not just here at SCATA but other sites too. It will be interesting to see how Google respond to this. At the moment they have their heads buried firmly in the sand.

show all blogs