ChatGPT solves CAPTCHAs if you tell it they’re fake

If you’re seeing fewer or different CAPTCHA puzzles in the near future, that’s not because website owners have agreed that they’re annoying, but it might be because they no longer prove that the visitor is human.

For those that forgot what CAPTCHA stands for: Completely Automated Public Turing test to tell Computers and Humans Apart.

The fact that AI bots can bypass CAPTCHA systems is nothing new. Sophisticated bots have been bypassing CAPTCHA systems for years using methods such as optical character recognition (OCR), machine learning, and AI, making traditional CAPTCHA challenges increasingly ineffective.

Most of the openly accessible AI chat agents have been barred from solving CAPTCHAs by their developers. But now researchers say they’ve found a way to get ChatGPT to solve image-based CAPTCHAs. They did this by prompt injection, similar to “social engineering” a chatbot into doing something it would refuse if you asked it outright.

In this case, the researchers convinced ChatGPT-4o that it was solving fake CAPTCHAs.

According to the researchers:

“This priming step is crucial to the exploit. By having the LLM affirm that the CAPTCHAs were fake and the plan was acceptable, we increased the odds that the agent would comply later.”

This is something I have noticed myself. When I ask an AI to help me analyze malware, it often starts by saying it is not allowed to help me, but once I convince it I’m not going to improve it or make a new version of it, then it’ll often jump right in and assist me in unravelling it. By doing so, it provides information that a cybercriminal could use to make their own version of the malware.

The researchers proceeded by copying the conversation they had with the chatbot into the ChatGPT agent they planned to use.

A chatbot is built to answer questions and follow specific instructions given by a person, meaning it helps with single tasks and relies on constant user input for each step. In contrast, an AI agent acts more like a helper that can understand a big-picture goal (for example, “book me a flight” or “solve this problem”) and can take action on its own, handling multi-step tasks with less guidance needed from the user.

A chatbot relies on the person to provide every answer, click, and decision throughout a CAPTCHA challenge, so it cannot solve CAPTCHAs on its own. In contrast, an AI agent plans tasks, adapts to changes, and acts independently, allowing it to complete the entire CAPTCHA process with minimal user input.

What the researchers found is that the agent had no problems with one-click CAPTCHAs, logic-based CAPTCHAs, and CAPTCHAs based on text-recognition. It had more problems with image-based CAPTCHAs requiring precision (drag-and-drop, rotation, etc.), but managed to solve some of those as well.

Is this a next step in the arms-race, or will the web developers succumb to the fact that AI agents and AI browsers are helping a human to get the information from their website that they need, with or without having to solve a puzzle.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.