Decaptcha Breaking Most Complicated CAPTCHA’s

Promoting web resources on internet can help in driving traffic to your website, One of the well-known black hat way is using bot-network for sending spams or advertisement, Bot is a special program that will work to automate certain tasks so a hacker will be sending just one instruction for the C&C server that will distribute the command for thousands of machine around the globe (this can be comment on a special CMS or Forum with a link to the malicious website).

One of the security measures against spams is the CAPTCHA text based protection, this can be annoying for certain users but it will decrease spams in a significant way. However as any technology it is always possible to crack or bypass this protection. Elie Bursztein, Matthieu Martin, and John C. Mitchell at Stanford University released a PoC for cracking some of the most complicated Captcha using a new tool called Decaptcha.

“We tested the efficiency of our tool Decaptcha against real captchas from Authorize, Baidu, Blizzard,, CNN, Digg, eBay,Google, Megaupload, NIH, Recaptcha, Reddit, Skyrock, Slashdot, and Wikipedia. As far as we know none of these captcha schemes had been reported broken prior to this work. Of these 15 captchas, we had 1%-10% success rate on two (Baidu, Skyrock), 10-24% on two (CNN, Digg), 25-49% on four (eBay, Reddit, Slashdot, Wikipedia), and 50% or greater on five (Authorize, Blizzard,, Megaupload, NIH).”  (1)

The only two CAPTCHA technologies that resisted this attack are Google and reCaptcha.This research prove that spamming and other malicious problems cannot be resolved locally and the only way is by more cooperation on the cyberspace and that each country start by cleaning their cyberspace from all malicious programs.


(1)    Text-based CAPTCHA Strengths and Weaknesses:

Notify of
Inline Feedbacks
View all comments