Update: I asked Ben Maurer, chief engineer of reCAPTCHA about this ‘penis flood‘ attack, Ben says that they’ve anticipated this type of attack and they have numerous protections that will keep the penises from penetrating the reCAPTCHA barrier.Īs appealing as the notion of sprinkling the word ‘penis’ into texts, the Anonymous team knew that the clock was ticking, and if they were going to restore the Message they didn’t have time to wait for the autovoters to come back online - they were going to have to vote manually, many, many times.
If they did this often enough, then soon a significant percentage of the images would be labeled as ‘penis’ and the ability to autovote would be restored (one side effect, that was not lost on Anonymous, was the notion that for years to come there would be a number of digital books with the word ‘penis’ randomly inserted throughout the text. All they had to do was look at the two words in the captcha, enter the proper label for the ‘easy’ one (presumably that would be the one that the two optical scanners would agree upon) and enter the word “penis” for the hard one. 2iasdo4 What Anonymous realized was that if they always labeled the unknown scanned text with the same word - and if they did this thousands and thousands of times eventually a large percentage of the unknown words would be mislabeled with their word. Those words that are consistently given a single label by human judges are recycled as control words”. The word is displayed along with a control word already known and is labeled by the human. Wikipedia describes the process: “Scanned text is subjected to analysis by two different optical character recognition programs in cases where the programs disagree, the questionable word is converted into a CAPTCHA. One thing they discovered about reCAPTCHA was that it always presents two words to a user for decoding - one word is a control word known by the reCAPTCHA system, while the other is an unknown word (reCAPTCHA uses the humans to help correct OCR errors). The next tactic used was to see if they could find a flaw in the reCAPTCHA implementation. Hacking Recaptcha (aka ‘The Penis Flood’) You might be interested in this detailed report on how 4chan defeated reCAPTCHA, and used it to manipulate 's annual TIME 100 Poll results. See for a complete overview of the topic.Īnd yeah, OCR is not the best way to break a CAPTCHA protected site - there are many other better ways. UPDATE: CAPTCHA Killer's website is now taken down, apparently under legal pressure. I personally tried numerous reCAPTCHA images, and it was actually some of the easiest ones (or at least quickest) broken. It also provides for an API (REST, I think, but maybe also SOAP). You can upload a CAPTCHA image, and it will automatically, if not immediately, provide the OCR'd answer. I notice that almost all the answers here relate to the ineffectiveness of the concept of CAPTCHA, in principle - and while I very much agree with them, in fact gave a talk at OWASP a few months ago explaining just that - the question is very specific, so I will provide for a demonstration.īut first, I will reiterate that demonstration aside, re-read the other comments, since it's truth that CAPTCHA is pointless and not helpful, irrelevant of implementation.īut really, check out CAPTCHA Killer.