Side-channel attack on the HumanAuth CAPTCHA

We propose a new scheme of attack on the HumanAuth CAPTCHA which represents a significant shortcut to the intended attacking path, as it is not based in any advance in the state of the art on the field of image recognition. After analyzing the HumanAuth image database with a new approach based on statistical analysis and machine learning, we conclude that it cannot fulfill the security objectives intended by its authors. Then, we analyze which of the studied parameters for the image files seem to disclose the most valuable information for helping in correct classification, arriving at a surprising discovery. We also analyze if the image watermarking algorithm presented by the HumanAuth authors is able to counter the effect of this new attack. Our attack represents a completely new approach to breaking image labeling CAPTCHAs, and can be applied to many of the currently proposed schemes. Lastly, we investigate some measures that could be used to increase the security of image labeling CAPTCHAs as HumanAuth, but conclude no easy solutions are at hand.