• Corpus ID: 14367961

Shortcomings in CAPTCHA Design and Implementation: Captcha2, a Commercial Proposal

  title={Shortcomings in CAPTCHA Design and Implementation: Captcha2, a Commercial Proposal},
  author={Carlos Javier Hern{\'a}ndez-Castro and Jonathan D. Stainton-Ellis and Arturo Ribagorda and Julio C{\'e}sar Hern{\'a}ndez Castro},
Many CAPTCHA proposals have shortcomings in their design or implementation that make them much weaker than intended. In this paper we study Captcha2, a commercial algorithm, as a means of showing typical flaws that make many CAPTCHAs prone to successful low-cost attacks. The attack we present makes no use of any AI techniques, not affecting the resilience of the original AI problem this CAPTCHA is (supposedly) based upon. That’s why it can be considered a pure side-channel attack. We conclude… 

Figures and Tables from this paper

On the strength of egglue and other logic captchas

Current Semantic and Logic CAPTCHAs are listed and how strong they are are examined, and wether this model is suited or not for automatic challenge generation and grading is discussed.



CAPTCHA: Using Hard AI Problems for Security

This work introduces captcha, an automated test that humans can pass, but current computer programs can't pass; any program that has high success over a captcha can be used to solve an unsolved Artificial Intelligence (AI) problem; and provides several novel constructions of captchas, which imply a win-win situation.

Side-channel attack on labeling CAPTCHAs

A completely new approach to breaking CAPTCHAs that can be applied to many of the currently proposed image-labeling algorithms, and to prove this point it is shown how to use the very same approach against the HumanAuth CAPTCHA.

A low-cost attack on a Microsoft captcha

It is shown that CAPTCHAs that are carefully designed to be segmentation-resistant are vulnerable to novel but simple attacks, including the schemes designed and deployed by Microsoft, Yahoo and Google.

Remotely Telling Humans and Computers Apart: An Unsolved Problem

A state-of-the-art survey of current HIPs, including proposals that are now into production, and how many implementation flaws can transform a not necessarily bad idea into a weak CAPTCHA.

Breaking Visual CAPTCHAs with Naive Pattern Recognition Algorithms

  • Jeff YanA. E. Ahmad
  • Computer Science
    Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007)
  • 2007
This paper document how most such visual CAPTCHAs provided at Captchaservice.org, a publicly available web service for CAPTCHA generation, were broken with a near 100% success rate by their novel attacks.

Reverse Engineering CAPTCHAs

This paper reverse engineer and solve real-world CAPTCHAs using simple image processing techniques such as bitmap comparison, thresholding, fill-flood segmentation, dilation, and erosion and provides an open source toolkit for solving CAPTCHA instances.

Machine learning attacks against the Asirra CAPTCHA

  • P. Golle
  • Computer Science
    IACR Cryptol. ePrint Arch.
  • 2008
A classifier which is 82.7% accurate in telling apart the images of cats and dogs used in Asirra, which is significantly higher than the estimate of 0.2% given in [7] for machine vision attacks.


We propose using a \Turing Test" in order to verify that a human is the one making a query to a service over the web. Thus, before a request is processed the user should answer as a challenge an

Compulsive voting

The main aim is to point out that frauds are constantly being carried out in quizzes and polls with prizes and to warm administrators to take actions to avoid them.