Rise of the Spambots: 3 APIs For Beating CAPTCHAs

Garrett Wilkin
Oct. 17 2012, 12:15PM EDT

The Death By CAPTCHA API is one of three CAPTCHA beating APIs posted to our index in just the last week.  After taking a look at them I can say that they are just as seedy and sketchy as you would imagine.  Even so, I don't see these services going away anytime soon.  The existence of super cheap CAPTCHA beating systems begs the question, how effective is the visual CAPTCHA today?

Death By CAPTCHALet's take a look at a few examples.  The enticingly named Death By CAPTCHA service promotes it's super low price of $1.39 for 1000 solved CAPTCHAs.  Pretty reasonable, and it wastes no time in suggesting to potential API users how they might employ third world workers to create spam bots, saying "if you don't have the required programming skills to extract, store and send us the CAPTCHA, we recommend you to hire an overseas freelance programmer to help you in this task."

AntigateAntigate, sets the cost of doing business at a premium, coming in at a $7.00 per 1,000 solved CAPTCHA price point.  The good news for socially minded API consumers is that this API is all human powered.  Actually I guess that point is a little murky isn't it?  It is better or worse to be employing humans in such a task?  Leave your opinion in the comments!

Bypass CAPTCHAI've saved the best for last, because it's Bypass CAPTCHA who stands out from this crowd.  This service displays a bit of business acumen by promoting an API business strategy for profit sharing with partners. That's forward thinking even among today's leading technology companies and I have to give credit where it is due.  Sure, the delivery of this proposal could be a bit more polished, but this is a spam bot service afterall.  In their own words, "I can understand that it is not easy these days to sell more copies of your softwares and earn more cashes."

The best news yet, is that there's a service called Are You A Human? which offers a great alternative to image CAPTCHAs.  With their "play thru" technology, users are presented with simple games to play to demonstrate their humanity.  And thus the CAPTCHA turing test arms race continues.

There are at least 15 different CAPTCHA APIs in our index.  Why not hook up a CAPTCHA creation service to one of the decoding services and have a little fun?

Garrett Wilkin

Comments

Comments(7)

Hi all,

Max from Are You a Human here. I just want to point out that the hack David points to is from May. That hack no longer gets past us.

We don't just look for our games to be played correctly; we also look at details such as mouse movements to track *how* the game is played. Thus, bots can play our games correctly and still be detected as bots. You can read more about this on our blog: http://areyouahuman.com/how-playthru-stops-the-bots/

Still, Garrett's right that it's an ongoing battle: as verification systems improve, so do bots, and there will never be a flawless system. At Are You a Human, we're working constantly to improve our security without throwing usability out the window.

David, to our knowledge there are no bots that are currently able to pass our games. If we're mistaken, please let us know.

Thanks for taking the time to check us out!

Max

max@areyouahuman.com

(313) 312-5537

David, that is an awesome comment! Thanks for sharing the hack of the "Are You A Human?" games. Apparently we are already past that next step of being able to crack the game, but no one has yet made it available as a paid API service. I wonder how long that will take.

Alicia

I agree that a lot of these programs can seem a little seedy but they are also used for good things in some circumstances! I work for the visually impaired and we use a piece of software called rumola (which is human based) at work to help our service users browse the internet independently with the help of screen reading software. It seems to be a quality product and we haven't seen it fail a CAPTCHA yet!

Alicia, I considered that angle as I was writing the story. However, I felt that the motivation to help those with visual and or auditory impairments was not the prime motivation of these services. They seemed to be geared toward spam rather than increasing accessibility to users. I did not want to grant them a noble purpose which they did not seem to be pursuing. I'd love to hear more about your work for the visually impaired. Maybe there's an opportunity to profile APIs that increasing the accessibility of the web.