Repetition breaks Google Audio CAPTCHA

Google has fixed a bug that allowed any 10 words to register as a correct response

Google has fixed a flaw in its Audio CAPTCHA software that could have given scammers a way to automatically set up phoney accounts with the company's services.

The flaw was described in a post to the Full Disclosure mailing list Monday. According to the post, anyone could pass a Google Audio CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) test by typing in any 10 words as the response.

CAPTCHA is testing software used by many websites to cut down on online fraud. Sites often use CAPTCHA systems to make sure that new accounts are created by human beings, instead of automated scripts. Typically a CAPTCHA test presents a hard-to-read image of a word, which the user must then type in to prove he is not a machine. The audio version gives visually impaired users a way to use CAPTCHA, by playing a recorded sound of the test word.

According to Harry Strongburg, the Full Disclosure poster who reported the issue, typing "google google google google google google google google google google," for example, would yield a correct response, no matter what the test word.

He stumbled on the issue recently after typing what he suspected was an incorrect answer to a barely audible audio CAPTCHA message. "I clicked it, typed in what it sounded like, and it worked correctly," Strongburg said in an e-mail message. "Intrigued by this, I tried it again with another random sentence of the same length. To my surprise, it worked again."

Google moved quickly to fix the bug after it was disclosed.

"We fixed a bug in our audio CAPTCHA validation last night within a few hours," said spokesman Jay Nancarrow on Tuesday in an e-mail message. "Audio CAPTCHAs continue to function normally."

That's a good thing, because, in theory, scammers could have leveraged this bug to quickly create thousands of malicious Google accounts. Google's Gmail service has been used by spammers, said Paul Ferguson, a security researcher with Trend Micro. And Blogger and Google Groups have been used to spread malware, he added in an instant message interview.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Tags Internet-based applications and servicesexploits and vulnerabilitiesGooglesecurityinternetcaptcha

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Comments

Comments are now closed.

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?