Cracking Captcha in Javascript!

Cracking captcha in Javascript: Yes you read it right 🙂  Now it is proved that captcha can be cracked by writing an OCR engine using Neural Nets in Javascript.

ShaunF has written a GreaseMonkey script that automatically solves the captcha provided by the site Megaupload.

Click here to check out the online demo of this hack.

John Resig dissects the neural network Javascript OCR captcha code and explained how the hack works.

  1. The HTML 5 Canvas getImageData API is used to get at the pixel data from the Captcha image. Canvas gives you the ability to embed an image into a canvas (from which you can later extract the pixel data back out again).
  2. The script includes an implementation of a neural network, written in pure JavaScript.
  3. The pixel data, extracted from the image using Canvas, is fed into the neural network in an attempt to divine the exact characters being used – in a sort of crude form of Optical Character Recognition (OCR).

On the related note,  sometime back I’ve written a post on  “Is Captcha Secure?”

Now it is proved that Captcha isn’t Secure.  Thanks to ShaunF for his amazing piece of Javascript code 🙂

Naveen. V

Tagged , ,

7 thoughts on “Cracking Captcha in Javascript!

  1. Jordy says:


    Great blog.
    But i was wondering how you can make such a script as the Megaupload script.
    How to crack the Captcha?

  2. Naveen says:

    Thanks Jordy for dropping by.

    Cracking captcha in Megaupload using OCR was reported on Jan 09 and they’ve fixed the issue. Now it is not possible to use this technique to crack the catpcha.

    Naveen. V

  3. Jordy says:

    But is it possible to make this for other smaller websites?

  4. Naveen says:

    Hey Jordy,

    Not all websites are hackable. It all depends on how well they’ve written the code in both client and server side. There are many certifications/courses like CEH (Certified Ethical Hacking) available which will legally train you on expanding your hacking skills.

    Naveen. V

  5. Robert says:

    First thing is, this crack has ALMOST nothing to do with the canvas element. Almost every captcha get generated on a different (sub)domain, so if a GreaseMonkey script draws the image onto a canvas it isn’t able to get the image data of this canvas anymore. This is because of the same domain policy. The script bypasses this policy by using the special XMLHTTP object of GreaseMonkey. It requests the captcha image file from the server a second time and then it draws it on the canvas by interpreting the byte stream. Then it reads the image data from the canvas. You see it doesn’t make any sense to use the canvas as some sort of buffer.

    Second thing is, the captchas of megaupload aren’t real captchas. A captcha has to be hard for a machine to solve. But the captchas of megaupload consist of four letters that are really easy to identify.

    It is NOT proven that captchas aren’t secure. It is proven that weak captchas (especially megaupload captchas) aren’t secure. But that’s common knowledge. Try to break reCaptcha this way.

    The script is great nonetheless as you can learn a lot about GIF decoding and neural networks.

  6. says:

    You are my intake, I have few web logs and rarely run out from post :).

  7. bachir says:

    i like your site

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: