Breaking Google’s reCAPTCHA

The story of the Stiltwalker project and dc949's bid to break Goole's reCAPTCHA service.

reCAPTCHA is Google’s free version of a CAPTCHA service, a device to prevent bots or computers from filling in forms, such as website registrations, contests, spam in comment fields, and so on.  It is used extensively in Twitter, Facebook, Ticketmaster, and Craigslist.  CAPTCHA, or Completely Automated Public Turing Test to Tell Computers and Humans Apart, was coined, and first used, in 2000 by Luis von Ahn, Manuel Blum, Nicholas Hopper and John Langford of Carnegie Mellon University.

What does that have to do with dc949?

Most hacker security conferences have contests; Shmoocon is no different.  One of their recent contests involved claiming the maximum number of Twitter followers.  What if you were able to sign up a very large number of accounts, and have them all follow your account?  Team dc949 took the challenge, but found that on the third Twitter account creation, the user had to fill in a reCAPTCHA test to ensure that the Twitter accounts weren’t requested by a script or bot.  Being erudite hackers, dc949 decided that sidestepping the reCAPTCHA road block would allow them to generate more followers, and tried to write a script to do just that.  They failed in that attempt, as did their efforts to win the Twitter follower contest.

Sometime later, CP and Adam of dc949 realized that something was bothering both of them, that it should be possible to defeat audio reCAPTCHA, and project Stiltwalker was born.   In the meantime, Adam was presciently taking a machine learning computer class at Stanford.

Fig.1.  Stars of Layer one: Jeffball, C-P, deep in thought and motion, and Adam.  Note the very cool speaker badges (designed by nullspacelabs) on Jeffball and Adam that resemble Cylons.  If you look closely at Jeffball’s badge, you can see the static image of the moving “eye.”  On Adam’s badge, that “eye” is just about off the badge edge.  C-P’s badge is in his pocket. 

Douglas Mechaber, from a former life as a molecular biologist to his current occupation as a security architect, Doug has worked in everything from healthcare to utilities.  He currently tries to foster a security culture for a mid-sized municipality.  In his spare time, Doug teaches Scuba, is active in OWASP, ISSA, and ISACA, and is a member of a local USCG Auxiliary flotilla.