Too low security for a captcha like this

[Twometer]

There are two fatal security flaws that make bypassing this captcha pretty trivial:

Flaw no. 1: disclosing MD5 hash of the answer

The random string in this captcha consists of 6 or 7 randomly chosen characters of the pattern A-z0-9. This string, which I will call the secret, is drawn to the actual captcha image but also hashed with MD5 and then sent to the client.

The problem with this approach is that MD5 is broken and insecure. It can be brute-forced very quickly as there are free rainbow tables out there for all alphanumeric strings of length 6 and 7, that allow reversing the hash back into the captcha secret in a matter of seconds.

Flaw no. 2: not resistant to computer vision

The image of the captcha is not resistant against even the most basic forms of computer vision.

This example captcha:

can be denoised using a simple median + threshold filter. After applying some logic to reorient the text, the resulting image looks like this:

Even free online OCR tools can reverse that back into the secret text.

[Fray117]

I'm not sure with the number 1, but my hypothesis is they already provide a token which used to identifying the captcha used, and this might be led to implement on server-side, not directly gave hash the client-side.