An oracle-based attack on CAPTCHAs protected against oracle attacks

TL;DR

This paper reveals fundamental flaws in a recent CAPTCHA design that allow attackers to exploit the system as an oracle, enabling complete learning attacks and defeating its security measures.

Contribution

The paper identifies and demonstrates critical vulnerabilities in a proposed CAPTCHA scheme, showing how to bypass its defenses using an oracle-based attack.

Findings

The attack can increase success rate to 100%

Flaws exist in trap image design and uncertainty grading

The proposed CAPTCHA can be fully compromised

Abstract

CAPTCHAs/HIPs are security mechanisms that try to prevent automatic abuse of services. They are susceptible to learning attacks in which attackers can use them as oracles. Kwon and Cha presented recently a novel algorithm that intends to avoid such learning attacks and "detect all bots". They add uncertainties to the grading of challenges, and also use trap images designed to detect bots. The authors suggest that a major IT corporation is studying their proposal for mainstream implementation. We present here two fundamental design flaws regarding their trap images and uncertainty grading. These leak information regarding the correct grading of images. Exploiting them, an attacker can use an UTS-CAPTCHA as an oracle, and perform a learning attack. Our testing has shown that we can increase any reasonable initial success rate up to 100%.