A CAPTCHA is a special kind of AI hard test to prevent bots from
logging into computer systems. We define an AI hard test to be a
problem which is intractable for a computer to solve as a matter of
general consensus of the AI community. On the Internet, CAPTCHAs are
typically used to prevent bots from signing up for illegitimate email
accounts or to prevent ticket scalping on e-commerce web sites.  We
have found that a popular and distributed architecture used on the
Internet has a flawed protocol. Consequently, the security that the
CAPTCHA ought to provide does not work and is ineffective at keeping
bots out. This paper discusses the flaw in the distributed
architecture's protocol.  We propose an improved protocol while
keeping the current architecture intact. We implemented a bot, which
is 100% effective at breaking CAPTCHAs that use this flawed
protocol. Furthermore, our implementation of our proposed protocol
proves that it is not vulnerable to attack. We use two popular web
sites, tickets.com and youtube.com, to demonstrate our point.