Is cheap labour behind the scene?

- Low-cost automated attacks on Yahoo CAPTCHAs

Jeff Yan and Ahmad Salah El Ahmad

Abstract This paper reports novel, low-cost attacks on two Yahoo CAPTCHAs - one of them (Scheme 1) had been deployed until very recently, and the other (Scheme 2) is still in active use for protecting Yahoo's global email services. Both schemes are designed to be segmentation resistant - the state of the art suggests that such schemes should rely on segmentation resistance to provide security guarantee, as individual character recognition after segmentation can be solved with a high success rate by standard methods such as neural networks. Our first attack achieved a segmentation success rate of around 77% on Scheme 1. As a result, we estimate that this scheme could be broken with an overall (segmentation and then recognition) success rate of about 60%. This is to date the most successful attack on the scheme. Since March 2008, Yahoo has replaced Scheme 1 with Scheme 2, a new CAPTCHA that introduces enhanced security features. Our second attack achieved a segmentation success rate of around 33.4% on this latest scheme. As a result, we estimate that this scheme could be broken with an overall success rate of about 25.9%. Our results show that spammers never had to employ cheap human labour to pass Yahoo CAPTCHAs. Rather, they could rely on low-cost automated attacks.

Full research paper [PDF] (forthcoming; held in confidential, allowing Yahoo time to fix the vulnerabilities we have identified)

Note: Our attack on Yahoo Scheme 1 was tested in 2007. Our work on the latest Yahoo Scheme was done in the Easter break in 2008. One copy of this paper was already sent to Yahoo in early Apr, 2008.

Update: This paper has been reviewed by Yahoo! Engineering in Sunnyvale, California.
Please send Questions or Comments to Jeff Yan.
University of Newcastle, Computing Science Lab of Security Engineering (LSE) @ Newcastle