Repetition breaks Google Audio CAPTCHA

Google has fixed a bug that allowed any 10 words to register as a correct response

Google has fixed a flaw in its Audio CAPTCHA software that could have given scammers a way to automatically set up phoney accounts with the company's services.

The flaw was described in a post to the Full Disclosure mailing list Monday. According to the post, anyone could pass a Google Audio CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) test by typing in any 10 words as the response.

CAPTCHA is testing software used by many websites to cut down on online fraud. Sites often use CAPTCHA systems to make sure that new accounts are created by human beings, instead of automated scripts. Typically a CAPTCHA test presents a hard-to-read image of a word, which the user must then type in to prove he is not a machine. The audio version gives visually impaired users a way to use CAPTCHA, by playing a recorded sound of the test word.

According to Harry Strongburg, the Full Disclosure poster who reported the issue, typing "google google google google google google google google google google," for example, would yield a correct response, no matter what the test word.

He stumbled on the issue recently after typing what he suspected was an incorrect answer to a barely audible audio CAPTCHA message. "I clicked it, typed in what it sounded like, and it worked correctly," Strongburg said in an e-mail message. "Intrigued by this, I tried it again with another random sentence of the same length. To my surprise, it worked again."

Google moved quickly to fix the bug after it was disclosed.

"We fixed a bug in our audio CAPTCHA validation last night within a few hours," said spokesman Jay Nancarrow on Tuesday in an e-mail message. "Audio CAPTCHAs continue to function normally."

That's a good thing, because, in theory, scammers could have leveraged this bug to quickly create thousands of malicious Google accounts. Google's Gmail service has been used by spammers, said Paul Ferguson, a security researcher with Trend Micro. And Blogger and Google Groups have been used to spread malware, he added in an instant message interview.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags internetGoogleexploits and vulnerabilitiescaptchaInternet-based applications and services

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Brand Post

PC World Evaluation Team Review - MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?