Toggle Main Menu Toggle Search

Open Access padlockePrints

Is cheap labour behind the scene? - Low-cost automated attacks on Yahoo CAPTCHAs

Lookup NU author(s): Dr Jeff Yan, Ahmad Salah El Ahmad



This paper reports novel, low-cost attacks on two Yahoo CAPTCHAs - one of them had been deployed until very recently, and the other is still in active use for protecting Yahoo’s global email services. Both schemes are designed to be segmentation resistant - the state of the art suggests that such schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks. Our attack achieved a segmentation success rate of around 77% on the first Yahoo scheme. As a result, we estimate that this scheme could be broken with an overall (segmentation and then recognition) success rate of about 60%. This is to date the most successful attack on the scheme. The second Yahoo scheme introduces enhanced security features, and has replaced the first scheme since March 2008. We identified for the first time a side channel attack, which aided us to achieve a segmentation success rate of around 33.4% on the second Yahoo scheme. As a result, we estimate that this scheme could be broken with an overall success rate of about 25.9%. Our results show that spammers never had to employ cheap human labour to pass Yahoo CAPTCHAs. Rather, they could rely on low-cost automated attacks.

Publication metadata

Author(s): Yan J, Salah El Ahmad A

Publication type: Report

Publication status: Published

Series Title: School of Computing Science Technical Report Series

Year: 2008

Pages: 3

Print publication date: 01/11/2008

Source Publication Date: November 2008

Report Number: 1127

Institution: School of Computing Science, University of Newcastle upon Tyne

Place Published: Newcastle upon Tyne