An oracle-based attack on CAPTCHAs protected against oracle attacks
This work exposes critical vulnerabilities in a security mechanism intended to protect online services from automated abuse, highlighting incremental risks in CAPTCHA design.
The paper identifies two fundamental design flaws in a recently proposed CAPTCHA algorithm that aims to prevent learning attacks by adding uncertainties and trap images, showing that these flaws allow attackers to exploit the system as an oracle and achieve up to 100% success rates in breaking it.
CAPTCHAs/HIPs are security mechanisms that try to prevent automatic abuse of services. They are susceptible to learning attacks in which attackers can use them as oracles. Kwon and Cha presented recently a novel algorithm that intends to avoid such learning attacks and "detect all bots". They add uncertainties to the grading of challenges, and also use trap images designed to detect bots. The authors suggest that a major IT corporation is studying their proposal for mainstream implementation. We present here two fundamental design flaws regarding their trap images and uncertainty grading. These leak information regarding the correct grading of images. Exploiting them, an attacker can use an UTS-CAPTCHA as an oracle, and perform a learning attack. Our testing has shown that we can increase any reasonable initial success rate up to 100%.