A Low-Cost Attack against the hCaptcha System
This exposes a vulnerability in hCaptcha, a widely used security system, enabling low-cost, large-scale attacks by malicious bots.
The paper tackled the problem of breaking hCaptcha image CAPTCHAs, achieving a 95.93% success rate on 270 live challenges with an average time of 18.76 seconds per challenge.
CAPTCHAs are a defense mechanism to prevent malicious bot programs from abusing websites on the Internet. hCaptcha is a relatively new but emerging image CAPTCHA service. This paper presents an automated system that can break hCaptcha challenges with a high success rate. We evaluate our system against 270 hCaptcha challenges from live websites and demonstrate that it can solve them with 95.93% accuracy while taking only 18.76 seconds on average to crack a challenge. We run our attack from a docker instance with only 2GB memory (RAM), 3 CPUs, and no GPU devices, demonstrating that it requires minimal resources to launch a successful large-scale attack against the hCaptcha system.