Skip to main content
SpringerLink
Log in

A Simple Attack on CaptchaStar

  • Conference paper
  • First Online:
Information Systems Security and Privacy (ICISSP 2018)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 977))

Included in the following conference series:

Abstract

CaptchaStar is a new type of Captcha, proposed in 2016, based on shape recovery. This paper shows that the security of this Captcha is not as good as intended. More precisely, we present and implement an efficient attack on CaptchaStar with a success rate of 96%. The impact of this attack is also investigated in other scenarios as noise addition, and it continues to be very efficient. This paper is a revised version of the paper entitled How to break CaptchaStar, presented at the conference ICISSP 2018 [29].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Captcha will be now written in lower-case for a better readability of the paper.

References

  1. von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: CAPTCHA: using hard AI problems for security. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 294–311. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-39200-9_18

    Chapter  Google Scholar 

  2. von Ahn, L., Blum, M., Hopper, N.J., Langford, J.: Telling humans and computers apart automatically. Commun. ACM 47(2), 57–60 (2004)

    Google Scholar 

  3. von Ahn, L., Dabbish, L.: Labeling images with a computer game. In: SIGCHI Conference on Human Factors in Computing Systems, pp. 319–326 (2004)

    Google Scholar 

  4. von Ahn, L., Dabbish, L.: Designing games with a purpose. Commun. ACM 51(8), 58–67 (2008)

    Google Scholar 

  5. von Ahn, L., Maurer, B., McMillen, C., Abraham, D., Blum, M.: reCAPTCHA: human-based character recognition via web security measures. Science 321, 1465–1468 (2008)

    Article  MathSciNet  Google Scholar 

  6. Algwil, A., Ciresan, D., Liu, B.B., Yan, J.: A security analysis of automated Chinese turing tests. In: Annual Conference on Computer Security Applications (ACSAC), pp. 520–532 (2016)

    Google Scholar 

  7. Baird, H.S., Coates, A.L., Fateman, R.J.: PessimalPrint: a reverse turing test. Int. J. Doc. Anal. Recognit. 5(2–3), 158–163 (2003)

    Article  Google Scholar 

  8. Bursztein, E., Aigrain, J., Moscicki, A., Mitchell, J.C.: The end is nigh: generic solving of text-based CAPTCHAs. In: USENIX Workshop on Offensive Technologies (WOOT) (2014)

    Google Scholar 

  9. Bursztein, E., Beauxis, R., Paskov, H.S., Perito, D., Fabry, C., Mitchell, J.C.: The failure of noise-based non-continuous audio CAPTCHAs. In: IEEE Symposium on Security and Privacy (S&P), pp. 19–31 (2011)

    Google Scholar 

  10. Bursztein, E., Bethard, S.: DeCAPTCHA: breaking 75% of ebay audio CAPTCHAs. In: USENIX Coference on Offensive Technologies (2009)

    Google Scholar 

  11. Bursztein, E., Bethard, S., Fabry, C., Mitchell, J.C., Jurafsky, D.: How good are humans at solving CAPTCHAs? A large scale evaluation. In: IEEE Symposium on Security and Privacy (S&P), pp. 399–413 (2010)

    Google Scholar 

  12. Bursztein, E., Martin, M., Mitchell, J.: Text-based CAPTCHA strengths and weaknesses. In: ACM Conference on Computer and Communications Security (CCS), pp. 125–138 (2011)

    Google Scholar 

  13. Bursztein, E., Moscicki, A., Fabry, C., Bethard, S., Mitchell, J.C., Jurafsky, D.: Easy does it: more usable CAPTCHAs. In: Conference on Human Factors in Computing Systems (CHI), pp. 2637–2646 (2014)

    Google Scholar 

  14. Chellapilla, K., Larson, K., Simard, P.Y., Czerwinski, M.: Building segmentation based human-friendly human interaction proofs (HIPs). In: Baird, H.S., Lopresti, D.P. (eds.) HIP 2005. LNCS, vol. 3517, pp. 1–26. Springer, Heidelberg (2005). https://doi.org/10.1007/11427896_1

    Chapter  Google Scholar 

  15. Chellapilla, K., Larson, K., Simard, P.Y., Czerwinski, M.: Designing human friendly human interaction proofs. In: ACM Conference on Human Factors in Computing Systems (CHI), pp. 711–720 (2005)

    Google Scholar 

  16. Chellapilla, K., Simard, P.Y.: Using machine learning to break visual human interaction proofs (HIPs). In: Neural Information Processing Systems (NIPS), pp. 265–272 (2004)

    Google Scholar 

  17. Chew, M., Tygar, J.D.: Image recognition CAPTCHAs. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 268–279. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30144-8_23

    Chapter  Google Scholar 

  18. Conti, M., Guarisco, C., Spolaor, R.: CAPTCHaStar! A novel CAPTCHA based on interactive shape discovery. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 611–628. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39555-5_33

    Chapter  Google Scholar 

  19. Conti, M., Guarisco, C., Spolaor, R.: CAPTCHaStar demo (2016). http://captchastar.math.unipd.it/demo.php

  20. Cui, J.S., Mei, J.T., Zhang, W.Z., Wang, X., Zhang, D.: A CAPTCHA implementation based on moving objects recognition problem. In: IEEE International Conference on E-Business and E-Government (ICEE), pp. 1277–1280 (2010)

    Google Scholar 

  21. Datta, R., Li, J., Wang, J.Z.: Imagination: a robust image-based CAPTCHA generation system. In: ACM International Conference on Multimedia, pp. 331–334 (2005)

    Google Scholar 

  22. Elson, J., Douceur, J.R., Howell, J., Saul, J.: Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In: ACM Conference on Computer and Communications Security (CCS), pp. 366–374 (2007)

    Google Scholar 

  23. Fidas, C., Voyiatzis, A., Avouris, N.: On the necessity of user-friendly CAPTCHA. In: SIGCHI Conference on Human Factors in Computing Systems (CHI), pp. 2623–2626 (2011)

    Google Scholar 

  24. Gao, H., Wang, W., Qi, J., Wang, X., Liu, X., Yan, J.: The robustness of hollow CAPTCHAs. In: ACM Conference on Computer and Communications Security (CCS), pp. 1075–1086 (2013)

    Google Scholar 

  25. Gao, H., et al.: A simple generic attack on text CAPTCHAs. In: Network and Distributed System Security Symposium (NDSS) (2016)

    Google Scholar 

  26. Golle, P.: Machine learning attacks against the asirra CAPTCHA. In: ACM Conference on Computer and Communications Security (CCS), pp. 535–542 (2008)

    Google Scholar 

  27. Goodfellow, I.J., Bulatov, Y., Ibarz, J., Arnoud, S., Shet, V.D.: Multi-digit number recognition from street view imagery using deep convolutional neural networks. coRR abs/1312.6082 (2013)

    Google Scholar 

  28. Gossweiler, R., Kamvar, M., Baluja, S.: What’s up CAPTCHA? A CAPTCHA based on image orientation. In: 18th International Conference on World Wide Web (WWW), pp. 841–850 (2008)

    Google Scholar 

  29. Gougeon, T., Lacharme, P.: How to break CAPTCHaStar. In: 4th International Conference on Information Systems Security and Privacy (ICISSP), pp. 41–51 (2018)

    Google Scholar 

  30. Hernández-Castro, C.J., R-Moreno, M.D., Barrero, D.F., Gibson, S.: Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis. Comput. Secur. 70, 744–756 (2017)

    Article  Google Scholar 

  31. Hernández-Castro, C.J., Ribagorda, A.: Pitfalls in CAPTCHA design and implementation: the math CAPTCHA, a case study. Comput. Secur. 29, 141–157 (2010)

    Article  Google Scholar 

  32. Hindle, A., Godfreya, M.W., Holt, R.C.: Reverse engineering CAPTCHAs (2008)

    Google Scholar 

  33. Kim, J., Kim, S., Yang, J., Ryu, J., Wohn, K.: FaceCAPTCHA: a CAPTCHA that identifies the gender of face images unrecognized by existing gender classifiers. Multimed. Tools Appl. 72(2), 1215–1237 (2014)

    Article  Google Scholar 

  34. Kim, J., Chung, W., Cho, H.: A new image-based CAPTCHA using the orientation of the polygonally cropped sub-images. Vis. Comput. 26, 1135–1143 (2010)

    Article  Google Scholar 

  35. Kluever, K.A., Zanibbi, R.: Balancing usability and security in a video CAPTCHA. In: ACM Symposium on Usable Privacy and Security (SOUPS) (2009)

    Google Scholar 

  36. Mohamed, M., Gao, S., Saxena, N., Zhang, C.: Dynamic cognitive game CAPTCHA usability and detection of streaming-based farming. In: Workshop NDSS on Usable Security (USEC) (2014)

    Google Scholar 

  37. Mohamed, M., et al.: A three-way investigation of a game-CAPTCHA: automated attacks, relay attacks and usability. In: ACM Symposium on Information, Computer and Communications Security (ASIACCS), pp. 195–206 (2014)

    Google Scholar 

  38. Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual CAPTCHA. In: Conference on Computer Vision and Pattern Recognition (CVPR), pp. 133–144 (2003)

    Google Scholar 

  39. Motoyama, M., Levchenko, K., Kanich, C., McCoy, D., Voelker, G.M., Savage, S.: Re: CAPTCHAs-understanding CAPTCHA-solving services in an economic context. In: USENIX Security Symposium, vol. 10, pp. 435–462 (2010)

    Google Scholar 

  40. Naor, M.: Verification of a human in the loop or identification via the turing test (1996)

    Google Scholar 

  41. Nejati, H., Cheung, N.M., Sosa, R., Koh, D.C.I.: DeepCAPTCHA: an image CAPTCHA based on depth perception. In: ACM Multimedia Systems Conference (MMSys), pp. 81–90 (2014)

    Google Scholar 

  42. Nguyen, V.D., Chow, Y.W., Susilo, W.: On the security of text-based 3D CAPTCHAs. Comput. Secur. 45, 84–99 (2014)

    Article  Google Scholar 

  43. Osadchy, M., Hernandez-Castro, J., Gibson, S., Dunkelman, O., Perez-Cabo, D.: No bot expects the deepCAPTCHA! Introducing immutable adversarial examples with applications to CAPTCHA. iACR Cryptology ePrint Archive (2016)

    Google Scholar 

  44. Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: ACM Computer and Security Conference (CCS), pp. 161–170 (2002)

    Google Scholar 

  45. Rui, Y., Liu, Z.: Artifacial: automated reverse turing test using facial features. Multimed. Syst. 9(6), 493–502 (2004)

    Article  Google Scholar 

  46. Shirali-Shahreza, S., Shirali-Shahreza, M.: CAPTCHA for children. In: IEEE International Conference on System of Systems Engineering (SoSE), pp. 1–6 (2008)

    Google Scholar 

  47. Simonyan, K., Zisserman, A.: Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556 (2014)

  48. Sivakorn, S., Polakis, I., Keromytis, A.D.: I am robot: (deep) learning to break semantic image CAPTCHAs. In: IEEE European Symposium on Security and Privacy (EuroS&P), pp. 388–403 (2016)

    Google Scholar 

  49. Tam, J., Simsa, J., Hyde, S., von Ahn, L.: Breaking audio CAPTCHAs. In: Advances in Neural Information Processing Systems (NIPS), pp. 1625–1632 (2008)

    Google Scholar 

  50. Thomas, K., McCoy, D., Grier, C., Kolcz, A., Paxson, V.: Trafficking fraudulent accounts: the role of the underground market in Twitter spam and abuse. In: USENIX Security Symposium. pp. 195–210 (2013)

    Google Scholar 

  51. Truong, H.D., Turner, C.F., Zou, C.C.: iCAPTCHA: the next generation of CAPTCHA designed to defend against 3rd party human attacks. In: IEEE International Conference on Communications (ICC), pp. 1–6 (2011)

    Google Scholar 

  52. Turing, A.M.: Computing machinery and intelligence. Mind 59(236), 433–460 (1950)

    Article  MathSciNet  Google Scholar 

  53. Wilkins, J.: Strong CAPTCHA guidelines. Technical Report (v1.2) (2009)

    Google Scholar 

  54. Xu, Y., Reynaga, G., Chiasson, S., Frahm, J.M., Monrose, F., van Oorschot, P.C.: Security and usability challenges of moving-object CAPTCHAs: decoding codewords in motion. In: USENIX Security Symposium, pp. 49–64 (2012)

    Google Scholar 

  55. Yan, J., Ahmad, A.S.E.: Breaking visual CAPTCHAs with naive pattern recognition algorithms. In: Annual Computer Security Applications Conference (ACSAC), pp. 279–291 (2007)

    Google Scholar 

  56. Yan, J., Ahmad, A.S.E.: A low-cost attack on a Microsoft CAPTCHA. In: ACM Conference on Computer and communications security (CCS), pp. 543–554 (2007)

    Google Scholar 

  57. Yan, J., Ahmad, A.S.E.: Usability of CAPTCHAs or usability issues in CAPTCHA design. In: 4th Symposium on Usable Privacy and Security (SOUPS), pp. 44–52 (2008)

    Google Scholar 

  58. Yan, J., Ahmad, A.S.E.: CAPTCHA security: a case study. IEEE Secur. Priv. 7(4), 22–28 (2009)

    Article  Google Scholar 

  59. Zhu, B.B., et al.: Attacks and design of image recognition CAPTCHAs. In: ACM Conference on Computer and Communications Security (CCS), pp. 187–200 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Normandie Univ., UNICAEN, ENSICAEN, CNRS, GREYC, 14000, Caen, France

    Thomas Gougeon & Patrick Lacharme

Authors
  1. Thomas Gougeon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Patrick Lacharme
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Thomas Gougeon or Patrick Lacharme .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Paolo Mori

  2. Plymouth University, Plymouth, UK

    Steven Furnell

  3. MODESTE/ESEO, Angers Cedex 02, France

    Olivier Camp

A Appendix

A Appendix

Figure 5 describes the first part of the attack on a toy example with \(n_{max} = 2\), \(\ell = 4\), \(n_s = 4\). First, the grid is split in 4 tiles. Each tile center represents the coordinates \(c_k\), generating a state \(S^k\). Then, a score is computed with the maxConcentation heuristic. It splits the grid in 9 tiles of \(4 \times 4\) pixels. To compute the score, the number of pixels of the two tiles containing the largest numbers of pixels are added. For the state \(S^3\), the tiles containing the largest number of pixels are the center tile, and the one at the top center. They both contain 2 stars, and each star contains 4 pixels, therefore the obtained score for \(S^3\) is 16. This is the maximum score among the generated states, therefore \(c_3\) represents the coordinates of the approximate solution.

Figure 6 describes the second part of the attack with \(\ell _2 =2\). A tile of size \(2 \times 2\) pixels is drawn using \(c_3\) as its center. A state is generated for each point of the tile and a score is computed using the maxConcentration heuristic. The points are represented by the coordinates \(\left\{ c_3, c_5, c_6, \dots , c_{12} \right\} \). \(S^8\) is the state leading to the largest score, and it is the solution of the challenge.

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gougeon, T., Lacharme, P. (2019). A Simple Attack on CaptchaStar. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2018. Communications in Computer and Information Science, vol 977. Springer, Cham. https://doi.org/10.1007/978-3-030-25109-3_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-25109-3_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-25108-6

  • Online ISBN: 978-3-030-25109-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation