We Cracked AOL’s Text CAPTCHA

Arkose Labs
Arkose Labs
Published in
2 min readSep 16, 2015

Text CAPTCHAs don’t work.

Despite this, some of the biggest companies on the internet still rely on them — for example, AOL. We noticed they were relying on a simple text CAPTCHA to guard their sign-up process and felt we needed to put it to the test.

Unsurprisingly, and like every other text CAPTCHA today, it failed to prevent automation.

AOL___Sign_Up_cropped
AOL’s text CAPTCHA

Why does this CAPTCHA, and many like it, fail to protect websites like AOL? It’s simple: because they’re so easily broken by anyone who is interested in doing so.

before_text_captcha
Before

Simple thresholding algorithms can remove the background noise and then you can run the text through an Optical Character Recognition engine. By doing this users with malicious intent can automate sign-ups and flood forums/websites with spam.

unnamed2
After

Once you run OCR over the image, you get something similar to the following image, where you can simply select the text from the image:

The software required to do all of this is easily available (we won’t be linking it here). For security purposes, this just isn’t acceptable.

aol_cap_highlight

If this sort of security is so unreliable, why then do websites (even some of the biggest in the world), still rely on it? It’s simple: for the last decade, there had never been a reliable CAPTCHA alternative that didn’t annoy users. FunCaptcha was born out of this necessity for innovation.

--

--

Arkose Labs
Arkose Labs

We solve multimillion-dollar fraud problems for the world’s most targeted businesses with zero friction to users.