Today I read a paper titled “Side-channel attack on labeling CAPTCHAs”
The abstract is:
We propose a new scheme of attack on the Microsoft’s ASIRRA CAPTCHA which represents a significant shortcut to the intended attacking path, as it is not based in any advance in the state of the art on the field of image recognition.
After studying the ASIRRA Public Corpus, we conclude that the security margin as stated by their authors seems to be quite optimistic.
Then, we analyze which of the studied parameters for the image files seems to disclose the most valuable information for helping in correct classification, arriving at a surprising discovery.
This represents a completely new approach to breaking CAPTCHAs that can be applied to many of the currently proposed image-labeling algorithms, and to prove this point we show how to use the very same approach against the HumanAuth CAPTCHA.
Lastly, we investigate some measures that could be used to secure the ASIRRA and HumanAuth schemes, but conclude no easy solutions are at hand.