The background noise added to the audio version of Google's reCAPTCHA didn't include high frequencies, making it easy for histograms like this one to pinpoint the six distinct words included in each challenge.
C-P, Adam, Jeffball
Google revamped its reCAPTCHA system, used to block automated scripts from abusing its online services, just hours before a trio of hackers unveiled a free system that defeats the widely used challenge-response tests with more than 99 percent accuracy.
, as the trio dubbed its proof-of-concept attack, exploits weaknesses in the audio version of reCAPTCHA, which is used by Google, Facebook, Craigslist and some 200,000 other websites
to confirm that humans and not scam-bots are creating online accounts. While previous hacks
have also used computers to crack
the Google-owned CAPTCHA (short for Completely Automated Public Turing test to tell Computers and Humans Apart) system, none have achieved Stiltwalker's impressive success rate.
"The primary thing which makes Stiltwalker stand apart is the accuracy," wrote Adam, one of the three hackers who devised the attack, in an e-mail. "According to the lead researcher from the Carnegie Mellon study, the system we attacked was believed to be 'secure against automatic attack,'" he added, referring to this resume
from a Carnegie Mellon University computer scientist credited with designing the audio CAPTCHA.