New AI tool can decode security captchas 

The programme was tested on 33 captcha schemes, of which 11 are used by many of the world's most popular websites -- including eBay, Wikipedia and Microsoft.

Published: 06th December 2018 11:39 AM  |   Last Updated: 06th December 2018 11:39 AM   |  A+A-

Image used for representational purpose.


LONDON: Researchers have created a new artificial intelligence tool that can read text captcha schemes used to defend the majority of the world's most popular websites from cyber attacks.

The algorithm based on deep learning methods is the most effective solver captcha security and authentication systems to date and could spell the end for one of the most widely used website security systems.

ALSO READ | Over 4 lakh cyber attacks in India from Russia, US and China

Text-based captchas use a jumble of letters and numbers, along with other security features such as occluding lines, to distinguish between humans and malicious automated computer programmes.

It relies on people finding it easier to decipher the characters than machines.

The tool, developed by Lancaster University in the UK, Northwest University in the US and Peking University in China, delivers significantly higher accuracy than previous captcha attack systems.

It is able to successfully crack versions of captcha where previous attack systems have failed.

The solver is also highly efficient.

It can solve a captcha within 0.05 of a second by using a desktop PC, researchers said.

The method involves teaching a captcha generator programme to produce large numbers of training captchas that are indistinguishable from genuine captchas.

These are then used to rapidly train a solver, which is then refined and tested against real captchas.

By using a machine-learned automatic captcha generator the researchers, or would be attackers, are able to significantly reduce the effort, and time needed to find and manually tag captchas to train their software.

It only requires 500 genuine captchas, instead of the millions that would normally be needed to effectively train an attack programme.

Previous captcha solvers are specific to one particular captcha variation.

Prior machine-learning attack systems are labour intensive to build, requiring a lot of manual tagging of captchas to train the systems.

They are also easily rendered obsolete by small changes in the security features used within captchas.

Since, the new solver requires little human involvement it can easily be rebuilt to target new, or modified, captcha schemes.

The programme was tested on 33 captcha schemes, of which 11 are used by many of the world's most popular websites -- including eBay, Wikipedia and Microsoft.

"We show for the first time that an adversary can quickly launch an attack on a new text-based captcha scheme with very low effort," said Zheng Wang, Senior Lecturer at Lancaster University.

This is scary because it means that this first security defence of many websites is no longer reliable.

This means captcha opens up a huge security vulnerability which can be exploited by an attack in many ways.

"It allows an adversary to launch an attack on services, such as Denial of Service attacks or spending spam or fishing messages, to steal personal data or even forge user identities," said Guixin Ye, the lead student author of the study.

"Given the high success rate of our approach for most of the text captcha schemes, websites should be abandoning captchas," Ye said.

Stay up to date on all the latest Tech news with The New Indian Express App. Download now
(Get the news that matters from New Indian Express on WhatsApp. Click this link and hit 'Click to Subscribe'. Follow the instructions after that.)


Disclaimer : We respect your thoughts and views! But we need to be judicious while moderating your comments. All the comments will be moderated by the editorial. Abstain from posting comments that are obscene, defamatory or inflammatory, and do not indulge in personal attacks. Try to avoid outside hyperlinks inside the comment. Help us delete comments that do not follow these guidelines.

The views expressed in comments published on are those of the comment writers alone. They do not represent the views or opinions of or its staff, nor do they represent the views or opinions of The New Indian Express Group, or any entity of, or affiliated with, The New Indian Express Group. reserves the right to take any or all comments down at any time.

flipboard facebook twitter whatsapp