An oracle-based attack on CAPTCHAs protected against oracle attacks

CAPTCHAs/HIPs are security mechanisms that try to prevent automatic abuse of services. They are susceptible to learning attacks in which attackers can use them as oracles. Kwon and Cha presented recently a novel algorithm that intends to avoid such learning attacks and "detect all bots". T...

Full description

Saved in:
Bibliographic Details
Published inarXiv.org
Main Authors Hernández-Castro, Carlos Javier, R-Moreno, María D, Barrero, David F, Li, Shujun
Format Paper
LanguageEnglish
Published Ithaca Cornell University Library, arXiv.org 13.02.2017
Subjects
Algorithms
Flaw detection
Grading
Image detection
Machine learning
Uncertainty
Online AccessGet full text

Cover

More Information
Summary:CAPTCHAs/HIPs are security mechanisms that try to prevent automatic abuse of services. They are susceptible to learning attacks in which attackers can use them as oracles. Kwon and Cha presented recently a novel algorithm that intends to avoid such learning attacks and "detect all bots". They add uncertainties to the grading of challenges, and also use trap images designed to detect bots. The authors suggest that a major IT corporation is studying their proposal for mainstream implementation. We present here two fundamental design flaws regarding their trap images and uncertainty grading. These leak information regarding the correct grading of images. Exploiting them, an attacker can use an UTS-CAPTCHA as an oracle, and perform a learning attack. Our testing has shown that we can increase any reasonable initial success rate up to 100%.
ISSN:2331-8422