Computer researchers at the Stanford Security Laboratory have created a computer program to decode audio CAPTCHAs on website account registration forms, thus revealing a security flaw that leaves users vulnerable to automated attacks.

CAPTCHA, which stands for Completely Automated Public Turing Test to tell Computers and Humans Apart, is a computer program meant to identify humans. It is a widespread security system used by websites to determine whether a user is actually human.  

There are two types of CAPTCHA programs. One deals with wavy images and the other is concerned with audio. In case of wavy images, if a user registers for online access to a website, it is likely he or she is required, as part of the process, to correctly read a group of distorted letters and numbers on the screen. That's a simple test to prove you are a human, not a computer program with malicious intent. Though computers are good at filling out forms, they struggle to decipher these wavy images crisscrossed with lines. This process is known as CAPTCHA, according to the researchers.

The audio CAPTCHA is designed to help the visually impaired. It requires users to accurately listen to a string of spoken letters and/or numbers disguised with background noise.

According to Stanford researchers, they have found an audible security flaw in the audio CAPTCHA.

Now computer science professor John Mitchell and postdoctoral researcher Elie Bursztein, along with other staff members of the Stanford Security lab, have built a computer program that can correctly decipher commercial audio CAPTCHA used by Digg, eBay, Microsoft, Yahoo and reCAPTCHA, a company that creates CAPTCHAs. The results were presented during a symposium on security and privacy in Oakland, Calif.

The Stanford program is called DeCAPTCHA, and it successfully decoded Microsoft's audio CAPTCHA about 50 percent of the time, said the researchers. However, decoding reCAPTCHA’s codes was not easy. According to the researchers, “they correctly broke only about one percent of reCAPTCHA's codes, the most difficult ones of those tested.” But the Stanford researchers believe that even this small success rate is considered trouble for websites such as YouTube and Facebook that get hundreds of millions of visitors each day.

"In the battle of humans versus computers, we lost round one for audio captchas," Bursztein said. "But we have a good idea of what round two should be," added Bursztein.

To test the program, the researchers generated 4 million audio CAPTCHAs mixed with white noise, echoes or music. After training DeCAPTCHA with some samples, they found that the program easily decoded CAPTCHAs mixed with static or repetition with a 60 to 80 percent success rate. But, with background music, the task was more difficult.