ChatGPT Can Be Tricked Into Solving CAPTCHAs, Experts Warn

Researchers at SPLX have demonstrated that ChatGPT can be deceived with carefully crafted prompts and compelled to solve CAPTCHA tests — a task long considered the exclusive domain of humans. This experiment casts doubt on the reliability of a mechanism that for decades has served as a cornerstone of website defenses against spam and automated attacks.

CAPTCHAs were originally designed as filters: images, logic puzzles, or interface elements meant to prove that a real human — not a bot — was interacting with the system. If a large language model, under the right sequence of instructions, can bypass these checks, it upends the very foundation of modern internet security.

According to researcher Dorian Schulz, direct attempts to have the model solve a series of CAPTCHAs were refused, with the system citing usage-policy restrictions. The team then adopted a different approach: they constructed a dialogue in which so-called “fake” tests were discussed and persuaded the model it would be working exclusively with those. In this context, ChatGPT remarked that the task was interesting from a reasoning standpoint and agreed to participate, provided it did not violate any rules.

The next step was to open a new session with ChatGPT-4o, copy the text from the earlier conversation, and present it as a continuation. The agent accepted the framing and immediately began working on the solutions. It performed particularly well with single-click tests, logical puzzles, and text recognition. More complex image challenges — requiring objects to be moved or rotated — proved harder, though in several instances the responses were still correct.

Schulz emphasized that, to the best of his team’s knowledge, this is the first documented case of a GPT agent successfully solving advanced graphical CAPTCHAs. The question of how long such tests can continue to serve as a reliable safeguard in an era of increasingly capable AI systems now looms larger than ever.

OpenAI declined to comment when approached by journalists. Nevertheless, instances of bypassing restrictions through so-called prompt injection have been observed before. This week, Radware researchers showed that with a single carefully crafted email, it was possible to trick an assistant into revealing Gmail secrets. Last month, Amazon patched vulnerabilities in Q Developer that allowed malicious prompts to be injected and even enabled remote code execution.

The SPLX experiment underscores a sobering reality: even foundational defenses like CAPTCHA are no longer a dependable barrier. As generative models grow more sophisticated, the line separating humans from automated systems in such verification tasks becomes increasingly blurred.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy