Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis

Hernández-Castro, Carlos Javier and R-Moreno, María D. and Barrero, David F. and Gibson, Stuart J. (2017) Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis. Computers and Security, 70 . pp. 744-756. ISSN 0167-4048. (doi: (Access to this publication is currently restricted. You may be able to access a copy if URLs are provided)

PDF - Publisher pdf
Restricted to Repository staff only
Contact us about this Publication Download (949kB)
Official URL


Human Interactive Proofs (HIPs 1 or CAPTCHAs 2) have become a first-level security measure on the Internet to avoid automatic attacks or minimize their effects. All the most widespread, successful or interesting CAPTCHA designs put to scrutiny have been successfully broken. Many of these attacks have been side-channel attacks. New designs are proposed to tackle these security problems while improving the human interface. FunCAPTCHA is the first commercial implementation of a gender classification CAPTCHA, with reported improvements in conversion rates. This article finds weaknesses in the security of FunCAPTCHA and uses simple machine learning (ML) analysis to test them. It shows a side-channel attack that leverages these flaws and successfully solves FunCAPTCHA on 90% of occasions without using meaningful image analysis. This simple yet effective security analysis can be applied with minor modifications to other HIPs proposals, allowing to check whether they leak enough information that would in turn allow for simple side-channel attacks.

Item Type: Article
Uncontrolled keywords: HIPCAPTCHAMachine learningGender classificationSide-channel attack
Divisions: Faculties > Sciences > School of Physical Sciences > Forensic Imaging Group
Faculties > Sciences > School of Physical Sciences
Depositing User: Stuart Gibson
Date Deposited: 25 Sep 2017 13:04 UTC
Last Modified: 17 Aug 2018 09:15 UTC
Resource URI: (The current URI for this page, for reference purposes)
  • Depositors only (login required):


Downloads per month over past year