Carlos Javier Hernández-Castro, Arturo Ribagorda, Yago Saez


We propose a new scheme of attack on the HumanAuth CAPTCHA which represents a significant shortcut to the intended attacking path, as it is not based in any advance in the state of the art on the field of image recognition. After analyzing the HumanAuth image database with a new approach based on statistical analysis and machine learning, we conclude that it cannot fulfill the security objectives intended by its authors. Then, we analyze which of the studied parameters for the image files seem to disclose the most valuable information for helping in correct classification, arriving at a surprising discovery. We also analyze if the image watermarking algorithm presented by the HumanAuth authors is able to counter the effect of this new attack. Our attack represents a completely new approach to breaking image labeling CAPTCHAs, and can be applied to many of the currently proposed schemes. Lastly, we investigate some measures that could be used to increase the security of image labeling CAPTCHAs as HumanAuth, but conclude no easy solutions are at hand.


  1. Abadi, M. (1996). Method for selectively restricting access to computer systems. US Patent no. 6,195,698.
  2. Ahn, L. V., Blum, M., and Langford, J. (2003). Captcha: Using hard ai problems for security. In Proceedings of Eurocrypt, pages 294-311. Springer-Verlag.
  3. Chew, M. and Tygar, J. D. (2004). Image recognition captchas. In Proceedings of the 7th International Information Security Conference, pages 268-279.
  4. Elson, J., Douceur, J. R., Howell, J., and Saul, J. (2007). Asirra: A captcha that exploits interest-aligned manual image categorization. In Proceedings of 14th ACM Conference on Computer and Communications Security (CCS), Association for Computing Machinery.
  5. Golle, P. (2008). Machine learning attacks against the asirra captcha. In ACM Conference on Computer and Communications Security, pages 535-542.
  6. Golle, P. and Ducheneaut, N. (2005). Preventing bots from playing online games. In Proceedings of the ACM Computers in Entertainment, Vol. 3, No. 3.
  7. Hernandez, J. C. (1997). Compulsive voting. In Proceedings of the 36th Annual 2002 International Carnahan Conference on Security Technology, pages 124-133.
  8. Hernandez-Castro, C. J. and Ribagorda, A. (2009a). Pitfalls in captcha design and implementation: the math captcha, a case study. Computers & Security.
  9. Hernandez-Castro, C. J. and Ribagorda, A. (2009b). Remotely telling humans and computers apart: an unsolved problem. In Proceedings of the iNetSec 2009, IFIP AICT 309.
  10. Hernandez-Castro, C. J., Ribagorda, A., and Saez, Y. (2009). Side-channel attacks on labeling captchas.
  11. Mori, G. and Malik, J. (2003). Recognizing objects in adversarial clutter: Breaking a visual captcha. In Computer Vision and Pattern Recognition CVPR03, pages 134-141.
  12. Naor, M. (1996). Verification of a human in the loop or identification via the turing test. Technical report, Weizmann Institute of Science.
  13. von Ahn, L. and Dabbish, L. (2004). Labeling images with a computer game. In ACM Conference on Human Factors in Computing Systems, pages 319-326.
  14. Walker, J. (2008). Ent: A pseudorandom number sequence test program.
  15. Warner, O. (2006).
  16. Winiwarter, W. and Kambayashi, Y. (1997). Y.: A machine learning workbench in a dood framework. In Proc. of the Intl. Conf. on Database and Expert Systems Applications, pages 452-461.

Paper Citation

in Harvard Style

Javier Hernández-Castro C., Ribagorda A. and Saez Y. (2010). SIDE-CHANNEL ATTACK ON THE HUMANAUTH CAPTCHA . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010) ISBN 978-989-8425-18-8, pages 59-65. DOI: 10.5220/0002994000590065

in Bibtex Style

author={Carlos Javier Hernández-Castro and Arturo Ribagorda and Yago Saez},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)},

in EndNote Style

JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2010)
SN - 978-989-8425-18-8
AU - Javier Hernández-Castro C.
AU - Ribagorda A.
AU - Saez Y.
PY - 2010
SP - 59
EP - 65
DO - 10.5220/0002994000590065