4

You all know captchas that require you to either type some letters displayed in an obfuscated way as image.

Recently I started to see more and more captchas that show you a set of small photos and require you to e.g. "select all street signs" or "click all photos depicting water".

However, are those captchas really anything but annoying?

Consider the famous Wolfram language project and their service ImageIdentify.com. You upload any picture there and it recognizes the content with surprisingly high precision.

So are those photo recognition captchas (not those that require you to read obfuscated letters, but those that require you to categorize images by their content) really a reliable way to distinguish human users from programs, as every skilled hacker has free access to such services?

Byte Commander
  • 160
  • 1
  • 6
  • 1
    "useless" is a strong word and a little overreaching. They will have some use, and I think your question is how much use they might have. – schroeder May 10 '16 at 20:04
  • I think the key here is that at least Google uses images that are deliberately hard to distinguish - it is not just any pictures of X mixed with any pictures of Y, it is pictures of X that looks sort of like Y, mixed with pictures of Y that looks sort of like X. – Anders May 10 '16 at 20:52

2 Answers2

3

People have been moderately successful at attacking these with OCR software and a variety of other non-OCR techniques. They do still slow automated attackers some so they are still very useful but they have been proven to be broken as a true test of human vs. machine for quite a while.

The following related links may be of use:

https://www.owasp.org/images/0/03/ASDC12-Attacking_CAPTCHAs_for_Fun_and_Profit.pdf

https://security.googleblog.com/2014/12/are-you-robot-introducing-no-captcha.html

https://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-008)

https://cintruder.03c8.net/

http://caca.zoy.org/wiki/PWNtcha

http://churchturing.org/captcha-dist/

http://www.lafdc.com/captcha/

http://www.cs.sfu.ca/~mori/research/gimpy/

http://www.puremango.co.uk/2005/11/breaking_captcha_115/

http://securesoftware.blogspot.com/2007/11/captcha-placebo-security-control-for.html

Again there is a lot of value in slowing the attacker down and making attacks more expensive so these are still very useful, albeit annoying.

Trey Blalock
  • 14,209
  • 6
  • 45
  • 49
2

The challenge you're describing (select images that meet criteria) is actually two machine problems. 1: figure out what it wants (somehow parse "select all images that contain water" or the more difficult, find out what's in an image and "match" it to similar pictures of something, i.e. a turkey) and then 2: figure out how to categorize images (tell which ones have water in them) against just that criteria.

The first one is natural language and in some cases (probably cases where their suspicious of bot-like behavior are higher) image recognition of a single image, hard but not impossible. But for task two, I honestly don't think the imageIdentify service (or any similar service) has a chance at responding reliably as to the water content of any given image, or whether or not it's a turkey. They might get it right 50% of the time, which in itself is impressive, but the threshold to fool the captcha is 100% and in my experience playing with different test images, it just won't do it.

Jeff Meden
  • 3,976
  • 14
  • 16