Cloudflare, a web infrastructure provider and website security provider, told the Record last Wednesday that a recent academic paper describing a way to bypass the hCaptcha-based challenge system doesn’t affect its implementation.
Two academics from University of Louisiana at Lafayette published a research paper last month that targets hCaptcha. This CAPTCHA service has replaced Google’s reCAPTCHA in Cloudflare’s website protection systems last Year.
Researchers presented a paper titled An Attack on the hCaptcha Systems. They claimed that they developed an attack that used browser automation tools, image recognition and image classifiers and machine learning algorithms to download hCaptcha puzzles and identify the content of images, classify them, then solve the CAPTCHA challenge.
According to academics, their attack was accurate at 95.93% and took 18.76 seconds to crack an hCaptcha test.
While machine learning-based attacks against image-based CAPTCHA systems have been known before, this paper’s major breakthrough is the fact that the research team was able to do this with very little computational resources. The attack rig consisted of a Docker container running Ubuntu OS and a 3 core CPU with only 2GB memory.
The research team also believes that the attack could be even more efficient if their in-house image classification system was replaced with modern online vision API services like Google Cloud Vision, Amazon Rekognition and Microsoft Azure Cognitive Vision. This could save them an average of one to two seconds.
These attacks could be used in real life to bypass the hCaptcha image-based puzzles found on live websites. They can then automate attacks against sites’ infrastructure such as spamming and web scraping.
Researchers plan to present the attack at the Workshop on Offensive Technologies 2021 next month, . This has concerned some website owners who use it as part their Cloudflare website security package.
In a phone conversation last Friday, Nick Sullivan from Cloudflare’s Head of Research stated that hCaptcha was one of the many methods Cloudflare uses “to detect and possibly block automated traffic” and that additional systems are in place to detect automated attacks.
A spokesperson for hCaptcha stated that the organization was aware and had already implemented the mitigation techniques in the paper when hCaptcha reached out to them last week.
hCaptcha admitted however that the free version of its software would not protect against all automated attacks because of several design decisions. Below is the full response from hCaptcha:
Although we already use the suggested mitigation techniques, our system is not designed to leak detections in real time. Using reCAPTCHA, you can sign up and receive a bot score. This makes it easy to break.hCaptcha spokesperson
This restricts the options for the free version that they tested. However, it won’t completely stop all detected automation passing when correct answers have been submitted.
It relies instead on the ability to change the types and classes of challenges frequently. It also features “anti-drain”, which prevents them from leaking.
After reviewing the paper, we concluded that the anti-drain protections worked as intended based on all the details.