We Cracked AOL’s Text CAPTCHA
Text CAPTCHAs don’t work.
Despite this, some of the biggest companies on the internet still rely on them — for example, AOL. We noticed they were relying on a simple text CAPTCHA to guard their sign-up process and felt we needed to put it to the test.
Unsurprisingly, and like every other text CAPTCHA today, it failed to prevent automation.
Why does this CAPTCHA, and many like it, fail to protect websites like AOL? It’s simple: because they’re so easily broken by anyone who is interested in doing so.
Simple thresholding algorithms can remove the background noise and then you can run the text through an Optical Character Recognition engine. By doing this users with malicious intent can automate sign-ups and flood forums/websites with spam.
Once you run OCR over the image, you get something similar to the following image, where you can simply select the text from the image:
The software required to do all of this is easily available (we won’t be linking it here). For security purposes, this just isn’t acceptable.
If this sort of security is so unreliable, why then do websites (even some of the biggest in the world), still rely on it? It’s simple: for the last decade, there had never been a reliable CAPTCHA alternative that didn’t annoy users. FunCaptcha was born out of this necessity for innovation.