Reverse Engineering CAPTCHAs

Authors: Abram Hindle Michael W. Godfrey Richard C. Holt

Venue: SANER   2008 15th Working Conference on Reverse Engineering, pp. 59-68, 2008

Year: 2008

Abstract: CAPTCHAs are automated Turing tests used to determine if the end-user is human and not an automated program. Users are asked to read and answer Visual CAPTCHAs, which often appear as bitmaps of text characters, in order to gain access to a low-cost resource such as webmail or a blog. CAPTCHAs are generated by software and the structure of a CAPTCHA gives hints to its implementation. Thus due to these properties of image processing and image composition, the process that creates CAPTCHAs can often be reverse engineered. Once the implementation strategy of a family of CAPTCHAs has been reverse engineered the CAPTCHA instances may be solved automatically by leveraging weaknesses in the creation process or by comparing a CAPTCHA's output against itself. In this paper, we present a case study where we reverse engineer and solve real-world CAPTCHAs using simple image processing techniques such as bitmap comparison, thresholding, fill-flood segmentation, dilation, and erosion. We present black-box and white-box methodologies for reverse engineering and solving CAPTCHAs. As well we provide an open source toolkit for solving CAPTCHAs that we have used with a success rates of 99, 95, 61, 30%, and 27% on hundreds of CAPTCHAs from five real-world examples.

BibTeX:

@inproceedings{abramhindle2008rec,
    author = "Abram Hindle and Michael W. Godfrey and Richard C. Holt",
    title = "Reverse Engineering CAPTCHAs",
    year = "2008",
    pages = "59-68",
    booktitle = "Proceedings of 2008 15th Working Conference on Reverse Engineering"
}

Plain Text:

Abram Hindle, Michael W. Godfrey, and Richard C. Holt, "Reverse Engineering CAPTCHAs," 2008 15th Working Conference on Reverse Engineering, pp. 59-68