The Decline of the CAPTCHA | eWeek

The Decline of the CAPTCHA

Écrit par
Larry Seltzer
Larry Seltzer
Nov 3, 2007
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

This is what we get for taking Alan Turing’s name in vain. The ‘T’ in CAPTCHA is for Turing and his famous proposition that a machine could be said to be called “sentient” when a person out of view talking to it could not tell if it were human or machine.

The goal of a CAPTCHA, or Completely Automated Public Turing test to tell Computers and Humans Apart, is to present a challenge that only a human can answer properly. It took a few years, but it looks like computers are getting to the point of defeating CAPTCHAs often enough to make the tests a failure.

For years I had been hearing from researchers about how they could beat these things, and I think they were partly exaggerating, but I’ve seen enough stories now that I have to figure the CAPTCHA’s days are over.

The one that really drove it home for me was the story of Ticketmaster vs. RMG Technologies. RMG had developed software for ticket brokers to use to automate the process of buying tickets on the Ticketmaster Web site. Brokers used the software to buy up tickets as soon as they went on sale and then sell them at a huge markup on StubHub and other such places. Parents found themselves paying $200 for tickets for their kids to see Hannah Montana.

There are a lot of lessons to learn from this, like perhaps if there is a thriving scalper market then the tickets were underpriced to begin with. But the more relevant point is that part of the automation including getting through the CAPTCHA on the Ticketmaster site. It sounds like RMG was particularly successful at it.

I’ve seen successful efforts at that before. I once got a lot of comment spam on a blog that had a CAPTCHA for commenters. The volume of comment spam was small enough that it could just have been humans filling out the form. However, the admin tried different CAPTCHA software and the problem stopped, which told me at the time that some of these tests were better than others.

And now it seems someone has found a way to automate the process of having real humans fill out the CAPTCHA form. As reported here by McAfee, what you do is set up a second Web site to turn users into unwitting CAPTCHA-filling drones. You present content to them that requires them to fill out a CAPTCHA. The CAPTCHA you present to them is in fact the one presented by the site that you want to break into, and you pass the response on to it in order to break in. Your Web site is a CAPTCHA proxy.

To read about how hackers got Web surfers to crack CAPTCHAs with an online striptease game, click here.

I doubt that RMG Technologies was using this method, because of the first of several problems with the CAPTCHA proxy scenario: You can’t operate at high speed, only the speed at which your users log into your system. The second problem, something of a corollary of the first, is that you need a large number of users in order to commit a large number of attacks.

Perhaps the hardest part of it all, though, is that you need to have content that other people will want to read. Of course, since we’ve already established that you’re dishonest, all you need to do is steal pornography from other sites and give it away free and people will fill out your CAPTCHAs for you.

And in the end, if you have a large number of CAPTCHAs and the text that answers them, you have a database to draw on to learn how to automate passing CAPTCHAs the right way.

I fear the only way CAPTCHAs will get more resilient against attack is to be more resilient against humans answering them, which is hardly the point. Turing wouldn’t have been impressed.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. He can be reached at larry.seltzer@ziffdavisenterprise.com.

Click here for an archive of Larry Seltzer’s columns.

Check out eWEEK.com’s Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK’s Security Watch blog.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.