AI Researchers Achieve 100% Success Rate in Bypassing Google's reCAPTCHAv2, Raising Cybersecurity Concerns

This AI tool can solve Google's popular anti-spam defense every time -- CAPTCHA system could soon become obsolete

A group of AI researchers at ETH Zurich in Switzerland have developed an advanced tool that can solve Google's CAPTCHA system with 100% accuracy, raising serious concerns about the future of CAPTCHA-based security. CAPTCHA, an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart," has been a primary defense mechanism against bots for years, with Google's reCAPTCHA being the most widely used. This system uses image-based challenges and tracks user behavior to differentiate between humans and machines, however, advances in AI have led to these systems becoming increasingly vulnerable. Andreas Plesner, Tobias Vontobel and Roger Wattenhofer recently modified the You Only Look Once (YOLO) image-processing model, successfully solving Google's reCAPTCHAv2 human-testing system. The study they conducted focused on evaluating the effectiveness of reCAPTCHAv2, which has become a critical part of website security by blocking automated bots from accessing forms, purchasing products, or participating in online interactions. This project revealed that the modified YOLO-based model achieved a 100% success rate in solving reCAPTCHAv2 image challenges, compared to earlier systems that only managed success rates of 68-71%. Additionally, the researchers found that bots required roughly the same number of challenges to solve CAPTCHAs as human users, leading to doubts about the system's reliability in distinguishing between bots and real people. It was also discovered that reCAPTCHAv2 depends heavily on browser cookies and history data to evaluate whether a user is human, meaning that bots can bypass security features if they appear to have human-like browsing behavior. As AI technology continues to evolve, the boundary between human and machine intelligence narrows. CAPTCHAs, designed to be solvable by humans but difficult for bots, may soon be rendered obsolete. This research underscores the challenge of creating new CAPTCHA systems that can outpace AI's rapid advancement or the need to explore alternative forms of human verification. The study, available on the arXiv preprint server, calls for the development of future CAPTCHA systems capable of adapting to AI advancements or the exploration of alternative methods of human verification. It also emphasizes the need for further research into refining datasets, improving image segmentation, and examining the triggers that activate blocking measures in automated CAPTCHA-solving systems. These findings are significant because they point to an urgent need for innovation in digital security. As AI continues to progress, the traditional methods of distinguishing humans from machines become less reliable, forcing the tech industry to rethink security protocols and human verification methods in the near future.

AI bots are using a 'YOLO' model to beat Captchas in just another way computers are better than you

Have you ever gotten annoyed because you just can't seem to figure out that Captcha test on the first go? Well, prepare to get more annoyed as a complex new bot is able to beat it with 100% certainty. In a paper fittingly titled "Breaking reCAPTCHAv2", as spotted by Tom's Hardware, researchers studied and utilised the "YOLO" model to solve image-based captcha puzzles. While it was previously only able to solve puzzles up to 71% of the time, this study showed that it could solve 100% of captchas presented to it. The paper states "Our findings indicate that current captcha mechanisms are not immune to the rapidly advancing field of artificial intelligence." Captchas are those annoying tests you have to take before certain websites will let you visit, log in, or do other things on them. They're a form of Turing Test, designed to parse the difference between a human user and a bot. This can be used to avoid inflated user numbers on sites and stop bots from spamming messages or scraping data. Importantly, Captchas can also mitigate DDOS (distributed denial of service) attacks, where bots access a site on mass to overload servers and effectively take it down. If bots can solve Captchas, this could pose a not-insignificant security risk to websites. It's worth noting this bot currently only works for Google's reCaptchav2. Google's reCaptchav3 launched earlier this year and it can tell based on your website usage and behaviour whether or not you are a bot, which is much harder for AI to crack. Unfortunately, some users will not be able to get through v3 due to their lack of consistent website usage and will be forced to use v2 either way, suggesting it's not inherently safer, just more convenient for some. The study itself is cautious of the future of this tech and the need for Captcha to further evolve alongside it. "Our findings mark a crucial point in the ongoing dialogue between AI capabilities and digital security. They highlight the necessity for captcha technologies to evolve proactively, staying ahead of AI's rapid advancements. "This is not just an academic challenge; it is a vital step toward ensuring the continued reliability and safety of our online environments." This does sound like an important issue, but I can't lie, I'm more bothered by the fact an AI is more consistent than me at beating Captchas.

AI researchers demonstrate 100% success rate in bypassing online CAPTCHAs

reCAPTCHAv2, anyway -- newer CAPTCHA methodologies may still work, for now. If you're tired of the days of completing captcha tests to prove you aren't a robot, you aren't alone. Now, it seems that reCAPTCHAv2, the version you're likely familiar with as the most recent version that directly tests your image recognition, can be beaten with a 100% success rate by current-gen AI models. Per a research paper appropriately titled "Breaking reCAPTCHAv2" submitted to arXiv on September 13, usage of the existing You Only Look Once (YOLO) object recognition model after training it with 14,000 labeled traffic images enabled it to defeat reCAPTCHAv2 with a 100% success rate. So, what does this mean for Internet users and website operators today? It depends! As it turns out, Google's reCAPTCHAv2 is actually a bit outdated compared to reCAPTCHAv3, which uses other metrics to determine whether a user is human or not rather than directly testing them with image recognition challenges... unless the web host chooses to enable the feature. There are potential false positives seen with reCAPTCHAv3 that, in theory, should be alleviated by the ability to fall back on the reCAPTCAv2 tests...but now that it's common knowledge that reCAPTCHAv2 is defeatable, the landscape could change more quickly than we anticipate. As the conclusion of the original paper says, "By conducting systematic experiments, we have shown that automated systems using advanced AI technologies, such as YOLO models, can successfully solve image-based captchas. [...] This finding raises doubts about the reliability of image-based captchas as a definitive method for distinguishing between humans and bots. Our findings indicate that current captcha mechanisms are not immune to the rapidly advancing field of artificial intelligence." After discussing how future studies could be improved, the paper continues, "The use of Google's reCAPTCHAv2 has played a crucial role in improving website security on the Internet by successfully differentiating between actual users and automated bots. It fulfills various practical applications, tackling some of the most urgent security issues on the Internet. For example, reCAPTCHAV2 addresses the scraping issue [...] by preventing automated theft to divert advertising income or gain a competitive advantage. This has become more relevant with the popularity of Large Language Models, LLMs, and the massive amounts of data required to train them." In short, this study wasn't done purely to flex the inadequacy of reCAPTCHAv2 in the face of the awesome power of AI. If anything, the researchers conclude that the existence of strong, functioning captcha systems or similar are good if not "vital" to have for the future of a healthy Internet -- and they're right! While the Introduction of the paper asserts that "we are now officially in the age beyond captchas", the conclusion affirms the "necessity for captcha technologies to evolve proactively, staying ahead of AI's rapid enhancements".

Scientists Made an AI Model That Beats CAPTCHAs Every Single Time

Researchers have made an AI bot capable of beating image-based CAPTCHAs 100 percent of the time, according to a new scientific paper. Internet users will be familiar with image-based CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) that show a grid of images requiring the user to select the panels with objects such as motorcycles or traffic lights contained within. CAPTCHAs are a security measure that helps to prevent spam and bot attacks by veryfing the user is human. But thanks to AI technology developments, PhD student Andreas Plesmer and his colleagues at ETH Zurich University in Switzerland were able to build a model capable of beating Google's ReCAPTCHA v2 system every time. Ars Technica reports that Plesner used a fine-tuned version of the open-source YOLO (You Only Look Once) object-recognition model which was previously used by a clothing line to confuse AI cameras. To beat Google's reCAPTCHA v2, scientists trained the model on 14,000 labeled images so it could learn the objects likely to show up on the CAPTCHA. The model can identify pictures of a motorcycle 69 percent of the time but for fire hydrants, it was 100 percent of the time. Regardless, the model was able to pass the CAPTCHA test every time even when given multiple challenges. Internauts may have noticed that image-based CAPTCHAs are appearing less and less, that's because Google began phasing out the picture CAPTCHA system years ago in favor of reCAPTCHA v3; an invisible security measure that analyzes user interactions to decide if it's human rather than giving a specific challenge. But Ars Technica notes that reCAPTCHA v2 is still used by millions of websites and reCAPTCHA v3 still uses v2 as a fallback option when it suspects the user is a bot. Previous studies attempting to beat CAPTCHAs with image-recognition models have had a success rate of around 70 percent. Plesmer and his colleagues say the rise to 100 percent "shows that we are now officially in the age beyond CAPTCHAs." "In some sense, a good CAPTCHA marks the exact boundary between the most intelligent machine and the least intelligent human," the authors' write. "As machine learning models close in on human capabilities, finding good CAPTCHAs has become more difficult."