Behzad Ousat
The Matter of Captchas: An Analysis of a Brittle Security Feature on the Modern Web
Ousat, Behzad; Schafir, Esteban; Tofighi, Mohammad; Hoang, Duc; Nguyen, Cuong; Arshad, Sajjad; Uluagac, Selcuk; Kharraz, Amin
Authors
Esteban Schafir
Mohammad Tofighi
Duc Hoang
Dr Cuong Nguyen viet.c.nguyen@durham.ac.uk
Assistant Professor
Sajjad Arshad
Selcuk Uluagac
Amin Kharraz
Abstract
The web ecosystem is a fast-paced environment. In this dynamic landscape, new security features are offered one after another to enhance the security and robustness of web applications and the operations they handle. This paper focuses on a fragile but still in-use security feature, text-based CAPTCHAs, that had been wildly used by web applications in the past to protect against automated attacks such as credential stuffing and account hijacking. The paper first investigates what it takes to develop automated scanners that can solve previously unseen text-based CAPTCHAs. We evaluated the possibility of developing and integrating a pre-trained CAPTCHA solver in the automated web scanning process without using a significantly large training dataset. We also perform an analysis of the impact of such autonomous scanners on CAPTCHA-enabled websites. Our analysis shows that solvable text-based CAPTCHAs on login, contact, and comment pages of websites are not uncommon. In particular, we identified over 3,100 text-based CAPTCHA websites in critical sectors such as finance, government, and health with hundreds of thousands of users. We showed that a web scanner with a pre-trained solver could solve more than 20% of previously unseen CAPTCHAs in just one single attempt. This result is worrisome considering the substantial potential to autonomously run the operation across thousands of websites on a daily basis with minimal training. The findings suggest that the integration of autonomous scanning with pre-training and local optimization of models can significantly increase adversaries' asymmetric power to launch their attacks cheaper and faster.
Citation
Ousat, B., Schafir, E., Tofighi, M., Hoang, D., Nguyen, C., Arshad, S., Uluagac, S., & Kharraz, A. (2024, May). The Matter of Captchas: An Analysis of a Brittle Security Feature on the Modern Web. Presented at The ACM Web Conference 2024, Singapore
Presentation Conference Type | Conference Paper (published) |
---|---|
Conference Name | The ACM Web Conference 2024 |
Start Date | May 13, 2024 |
End Date | May 17, 2024 |
Acceptance Date | Jan 23, 2024 |
Online Publication Date | May 13, 2024 |
Publication Date | 2024-05 |
Deposit Date | Apr 12, 2024 |
Publicly Available Date | May 22, 2024 |
Publisher | Association for Computing Machinery (ACM) |
Peer Reviewed | Peer Reviewed |
Pages | 1835-1846 |
Book Title | WWW '24: Proceedings of the ACM on Web Conference 2024 |
ISBN | 9798400701719 |
DOI | https://doi.org/10.1145/3589334.3645619 |
Public URL | https://durham-repository.worktribe.com/output/2382737 |
Files
Accepted Conference Paper
(1.4 Mb)
PDF
You might also like
Hamiltonian Monte Carlo on ReLU Neural Networks is Inefficient
(2025)
Presentation / Conference Contribution
Lifelong Learning for Deep Neural Networks with Bayesian Principles
(2024)
Book Chapter
Simple transferability estimation for regression tasks
(2023)
Presentation / Conference Contribution
Bayesian active learning with abstention feedbacks
(2021)
Journal Article
Downloadable Citations
About Durham Research Online (DRO)
Administrator e-mail: dro.admin@durham.ac.uk
This application uses the following open-source libraries:
SheetJS Community Edition
Apache License Version 2.0 (http://www.apache.org/licenses/)
PDF.js
Apache License Version 2.0 (http://www.apache.org/licenses/)
Font Awesome
SIL OFL 1.1 (http://scripts.sil.org/OFL)
MIT License (http://opensource.org/licenses/mit-license.html)
CC BY 3.0 ( http://creativecommons.org/licenses/by/3.0/)
Powered by Worktribe © 2025
Advanced Search