Have you ever been writing a script to spam Wordpre- I mean, have you ever had such a hard time reading a captcha, that you click the little speaker next to it to try the Audio Captcha?
Yeah me neither, but here is some interesting info about how to bypass it in an automated fashion, with over 90% accuracy.
Let’s start with the story behind it, as the exploit was exposed by a group of hackers that created a tool known as Stiltwalker that easily deciphers the audio captcha. Here is a quote I snagged from Ars Technica where one of the creators speaks about Stiltwalker:
“The primary thing which makes Stiltwalker stand apart is the accuracy,” wrote Adam, one of the three hackers who devised the attack, in an e-mail. “According to the lead researcher from the Carnegie Mellon study, the system we attacked was believed to be ‘secure against automatic attack,’” he added, referring to this resume from a Carnegie Mellon University computer scientist credited with designing the audio CAPTCHA.
So the issue they are exploiting here, is that the audio captcha uses a bunch of background noises with some super imposed words. You get to listen to a few seconds of low-frequency noise, then an easily distinguishable voice says words like September, February, Orange, Brown and other words, which you are expected to type out in the little box.
For a while captchas were a bit tough to exploit like this in an automated fashion, but the gist behind the way Stiltwalker works is that the words that are superimposed over the noise contain high frequencies not present in the low frequency noise. Likely this higher frequency is due to sibilants in the words, but may just be the tone or timbre of the voice. Here is a visual representation of what I am trying to say:
This method was originally set to be revealed at the Layer One security conference, but the group of hackers were foiled by Google, who release reCaptcha, 2 hours before the presentation. The hackers have no proof that there was an insider who informed Google of the impending talk, but Google seemed rather stern about it, and it felt obvious that someone was told in advance. The fix was rather simple, where the background noise instead of being low frequency noise is now human voices saying random sound combinations, but not actual words, but with actual words buried inside. The reCaptcha length is also different now instead of being 8 seconds it is now 30.
Currently Stiltwalker works for about 1 out of 3 tries, with the new reCaptcha, which if you have a bot churning out comments, or whatever type of spam you are trying to break captcha for, then I suppose it is worthwhile to give it a try.
Let me know what you guys think in the comments below Share like and subscribe!