CAPTCHAs provide protection from automated robot attacks against online forms and services. Image recognition CAPTCHAs, which require users to perform an image recognition task, have been proposed as a more robust alternative to character recognition CAPTCHAs. However, in recent years, a number of web services that deal with content based image retrieval and analysis have been developed and released for public consumption. These web services can be used in completely unexpected ways to attack image CAPTCHAs. Specifically, in this paper, we consider three specific kinds of web services: 1) Reverse Image Search (RIS), 2) Image Similarity Search (ISS), and 3) Automatic Linguistic Annotation (ALA). We show how the functionality of these image based web services, used in conjunction with regular expressions, keyword ontologies and some statistical analysis/inference, can pose a dangerous attack that easily bypasses the hard AI problem used in challenges for typical image CAPTCHAs. We also discuss effective defensive measures that can be utilized to make CAPTCHAs more resistant to the attack vectors these web services provide.
展开▼