Last weekend, a group of hackers unveiled Stiltwalker, a hack that subverts the reCaptcha system Google uses to protect its services from bots with 99 per cent accuracy. But just hours before the group was set to present its hack at the LayerOne conference Google patched it up so it wouldn’t work anymore.
Stiltwalker is an impressive piece of engineering by the hackers from Defcon Group. CAPTCHA hacks have existed before, but what makes this hack so neat is that when it was working it could nail Google’s coded system much more accurately than any other before it. Rather than attack a single vulnerability, the hackers attacked several shortcomings of the audio portion of reCAPTCHA from multiple angles. Ars Technica reports:
What the hackers-identified only as C-P, Adam, and Jeffball-learned from analysing the sound prints of each test was that the background noise, in sharp contrast to the six words, didn’t include sounds that registered at higher frequencies. By plotting the frequencies of each audio test on a spectogram, the hackers could easily isolate each word by locating the regions where high pitches were mapped. reCAPTCHA was also undermined by its use of just 58 unique words. Although the inflections, pronunciations, and sequences of spoken words varied significantly from test to test, the small corpus of words greatly reduced the work it took a computer to recognise each utterance.