Repetition Breaks Google Audio CAPTCHA

Google has fixed a flaw in its Audio CAPTCHA software that could have given scammers a way to automatically set up phoney accounts with the company’s services.

The flaw was described in a post to the Full Disclosure mailing list Monday. According to the post, anyone could pass a Google Audio CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) test by typing in any 10 words as the response.

CAPTCHA is testing software used by many websites to cut down on online fraud. Sites often use CAPTCHA systems to make sure that new accounts are created by human beings, instead of automated scripts. Typically a CAPTCHA test presents a hard-to-read image of a word, which the user must then type in to prove he is not a machine. The audio version gives visually impaired users a way to use CAPTCHA, by playing a recorded sound of the test word.

According to Harry Strongburg, the Full Disclosure poster who reported the issue, typing “google google google google google google google google google google,” for example, would yield a correct response, no matter what the test word.

Google moved quickly to fix the bug after it was disclosed.

“We fixed a bug in our audio CAPTCHA validation last night within a few hours,” said spokesman Jay Nancarrow on Tuesday in an e-mail message. “Audio CAPTCHAs continue to function normally.”

That’s a good thing, because, in theory, scammers could have leveraged this bug to quickly create thousands of malicious Google accounts. Google’s Gmail service has been used by spammers, said Paul Ferguson, a security researcher with Trend Micro. And Blogger and Google Groups have been used to spread malware, he added in an instant message interview.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert’s e-mail address is robert_mcmillan@idg.com