Broken CAPTCHAs and Fractured Equity: Privacy and Security in hCaptcha's Accessibility Workflow

Note: Presentation times are in Pacific Standard Time (PST).

Wednesday, February 02, 2022 - 11:35 am12:05 pm

Steven Presser, Independent Researcher


hCaptcha, a commercial CAPTCHA product, currently protects 12-15% of websites against automation, including the talk submission website for this conference. It presents humans a picture-based puzzle to solve and uses the results to label datasets. Therefore, it only provides a visual CAPTCHA. In order to comply with accessibility requirements, hCaptcha provides a special "accessibility workflow," which requires additional information from users. However, this workflow has two major issues: it could be used to de-anonymize users and can be fully automated.

In this talk, I will examine how such a system was created. I begin with a brief background on CAPTCHAs, an overview of relevant assistive technologies for people with disabilities, and how the two interact. Next, I will discuss the disparate user experiences between the mainstream workflow and the accessibility workflow – as well as the privacy implications of their differences. I will discuss the design factors and requirements hCaptcha used when designing the accessibility workflow and then summarize the automation attack, including my responsible disclosure of the attack. Finally, I will conclude with a discussion of hCaptcha’s future plans for a more inclusive and privacy-friendly CAPTCHA, as well as asking some larger questions about the future of the CAPTCHA. These include: Is the era of the CAPTCHA at an end? If so, do we replace them and with what? How do we ensure inclusive access without creating security gaps?

Steven Presser, Independent Researcher

A tinkerer of many things software, Steve has been writing code since his early teens. He was first drawn to security (and subsequently privacy)by watching a peer perform an SQL injection on one of his first large projects at age 14. Later, Steve received his Bachelors in Computer Science from Johns Hopkins University and has since worked for Microsoft, Cray, and HPE. He is currently a researcher at HLRS in Stuttgart, Germany. He has also served as an expert witness and written proof-of-concept code for a brief to the U.S. Supreme Court.
@conference {277339,
author = {Steven Presser},
title = {Broken {CAPTCHAs} and Fractured Equity: Privacy and Security in {hCaptcha{\textquoteright}s} Accessibility Workflow},
year = {2022},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = feb

Presentation Video