Repetition breaks Google Audio CAPTCHA

Google has fixed a bug that allowed any 10 words to register as a correct response

Google has fixed a flaw in its Audio CAPTCHA software that could have given scammers a way to automatically set up phoney accounts with the company's services.

The flaw was described in a post to the Full Disclosure mailing list Monday. According to the post, anyone could pass a Google Audio CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) test by typing in any 10 words as the response.

CAPTCHA is testing software used by many websites to cut down on online fraud. Sites often use CAPTCHA systems to make sure that new accounts are created by human beings, instead of automated scripts. Typically a CAPTCHA test presents a hard-to-read image of a word, which the user must then type in to prove he is not a machine. The audio version gives visually impaired users a way to use CAPTCHA, by playing a recorded sound of the test word.

According to Harry Strongburg, the Full Disclosure poster who reported the issue, typing "google google google google google google google google google google," for example, would yield a correct response, no matter what the test word.

He stumbled on the issue recently after typing what he suspected was an incorrect answer to a barely audible audio CAPTCHA message. "I clicked it, typed in what it sounded like, and it worked correctly," Strongburg said in an e-mail message. "Intrigued by this, I tried it again with another random sentence of the same length. To my surprise, it worked again."

Google moved quickly to fix the bug after it was disclosed.

"We fixed a bug in our audio CAPTCHA validation last night within a few hours," said spokesman Jay Nancarrow on Tuesday in an e-mail message. "Audio CAPTCHAs continue to function normally."

That's a good thing, because, in theory, scammers could have leveraged this bug to quickly create thousands of malicious Google accounts. Google's Gmail service has been used by spammers, said Paul Ferguson, a security researcher with Trend Micro. And Blogger and Google Groups have been used to spread malware, he added in an instant message interview.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

More about: CHA, Google, IDG, Trend Micro
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: captcha, exploits and vulnerabilities, Google, internet, Internet-based applications and services, security
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/150/handbrake/

HandBrake

HandBrake is an opensource tool that allows you to backup your DVDs so that you can store and watch them on your computer. Features include: ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia