Skip to main content

Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis

Hernández-Castro, Carlos Javier, R-Moreno, María D., Barrero, David F., Gibson, Stuart J. (2017) Using machine learning to identify common flaws in CAPTCHA design: FunCAPTCHA case analysis. Computers and Security, 70 . pp. 744-756. ISSN 0167-4048. (doi:10.1016/j.cose.2017.05.005) (KAR id:63555)

PDF Author's Accepted Manuscript
Language: English
Download (949kB) Preview
[thumbnail of HernandezCastro2017_proof.pdf]
This file may not be suitable for users of assistive technology.
Request an accessible format
Official URL


Human Interactive Proofs (HIPs 1 or CAPTCHAs 2) have become a first-level security measure on the Internet to avoid automatic attacks or minimize their effects. All the most widespread, successful or interesting CAPTCHA designs put to scrutiny have been successfully broken. Many of these attacks have been side-channel attacks. New designs are proposed to tackle these security problems while improving the human interface. FunCAPTCHA is the first commercial implementation of a gender classification CAPTCHA, with reported improvements in conversion rates. This article finds weaknesses in the security of FunCAPTCHA and uses simple machine learning (ML) analysis to test them. It shows a side-channel attack that leverages these flaws and successfully solves FunCAPTCHA on 90% of occasions without using meaningful image analysis. This simple yet effective security analysis can be applied with minor modifications to other HIPs proposals, allowing to check whether they leak enough information that would in turn allow for simple side-channel attacks.

Item Type: Article
DOI/Identification number: 10.1016/j.cose.2017.05.005
Uncontrolled keywords: HIPCAPTCHAMachine learningGender classificationSide-channel attack
Subjects: Q Science
Divisions: Divisions > Division of Natural Sciences > School of Physical Sciences
Depositing User: Stuart Gibson
Date Deposited: 25 Sep 2017 13:04 UTC
Last Modified: 16 Feb 2021 13:48 UTC
Resource URI: (The current URI for this page, for reference purposes)
Gibson, Stuart J.:
  • Depositors only (login required):


Downloads per month over past year