Researchers Elie Bursztein, Matthieu Martin and John C. Mitchel ,from Standford university developed an automated tool that can break the text-based anti spam test used in many popular sites.
In order to block Spam comments and Automated registration, websites use CAPTCHA Security Test.
For example, whenever you register in forum, it will ask to enter the exact text in the image.
They tested their tool against 15 popular websites. 13 out of 15 sites are vulnerable to Automated Attack.
Success rate on Visa's Authorize.net payment gateway is 66%. 70% success rate on Blizzard's World of Warcraft portal. Other interesting results were registered on eBay, whose CAPTCHA implementation failed 43% of the time, and on Wikipedia, where one in four attempts was successful. Lower, but still significant, success rates were found on Digg, CNN and Baidu -- 20, 16 and 5% respectively. Meguapload has success rate 93%(highest one).
The only tested sites where CAPTCHAs couldn't be broken were Google and reCAPTCHA.
After these test result come out, Authorize.net and Digg have switched to reCAPTCHA.
The researchers, Elie Bursztein, Matthieu Martin and John C Mitchel have also developed techniques to break audio CAPTCHAs on sites like Microsoft, eBay, Yahoo and Digg, presented their latest research at the recent ACM Conference On Computer and Communication Security in Chicago.
Download Full report:
https://cdn.elie.net/publications/text-based-captcha-strengths-and-weaknesses.pdf
