The AI Hardness of CAPTCHAs does not imply Robust Network Security

  • Allan Caine
  • Urs Hengartner
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 238)


A CAPTCHA is a special kind of AI hard test to prevent bots from logging into computer systems. We define an AI hard test to be a problem which is intractable for a computer to solve as a matter of general consensus of the AI community. On the Internet, CAPTCHAs are typically used to prevent bots from signing up for illegitimate e-mail accounts or to prevent ticket scalping on e-commerce web sites. We have found that a popular and distributed architecture for implementing CAPTCHAs used on the Internet has a flawed protocol. Consequently, the security that the CAPTCHA ought to provide does not work and is ineffective at keeping bots out. This paper discusses the flaw in the distributed architecture’s protocol. We propose an improved protocol while keeping the current architecture intact. We implemented a bot, which is 100% effective at breaking CAPTCHAs that use this flawed protocol. Furthermore, our implementation of the improved protocol proves that it is not vulnerable to attack. We use two popular web sites, and, to demonstrate our point.


Target Image Message Authentication Code Normalize Cross Correlation Cypher Text Baseball Team 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    von Ahn, L., Blum, M., Langford, J.: Telling humans and computers apart auto-matically. Commnications of the ACM 47(2) (2004) 57–60CrossRefGoogle Scholar
  2. 2.
    Yahoo! Inc.: Yahoo e-mail sign up. (2007)
  3. 3.
    Minnesota Twins Major League Baseball: Minnesota twins electronic ticketing. (2007)
  4. 4.
    Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-hashing for message authentication. Internet RFC 2104 (1997)Google Scholar
  5. 5.
    Lewis, J.P.: Fast template matching. Vision Interface (1995) 120–123Google Scholar
  6. 6.
    Caine, A., Hengartner, U.: Data set. php/demo.htm (2007)
  7. 7.
    Caine, A., Hengartner, U.: Implementation of proposed protocol. http://www. (2007)
  8. 8.
    Youtube: Sign up page for (2007)
  9. 9.
    The CAPTCHA Project at Carnegie Mellon University. http://www.captcha. net/ (2006)
  10. 10.
    PWNtcha captcha decoder. (2006)
  11. 11.
    Fukuda, K., Garrigue, M.A., Gilman, A.: Inaccessibility of CAPTCHA. W3C (2005)Google Scholar
  12. 12.
    Mori, G., Malik, J.: Recognizing objects in adversarial clutter: Breaking a visual CAPTCHA. In: CVPR. Volume 1. (2003) 134–141Google Scholar
  13. 13.
    Doctorow, C.: Solving and creating captchas with free porn. (2004)
  14. 14.
    von Ahn, L., Blum, M., Hopper, N., Langford, J.: CAPTCHA: Using hard AI problems for security. Eurocrypt (2003)Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Allan Caine
    • 1
  • Urs Hengartner
    • 1
  1. 1.University of WaterlooCanada

Personalised recommendations