A study on the vulnerability of CAPTCHA patterns of Iranian popular websites and presenting approaches for resolving it

CAPTCHA creates tests that humans can easily answer to them, but the computers would not be able to recognize and respond to them. Given that one of the main ways to break the CAPTCHA is to use Optical Character Recognition (OCR), in this study, the vulnerability rate of CAPTCHA patterns used in 20 top Iranian websites versus the OCR solutions was investigated. The study showed that 43% of surveyed websites either do not use CAPTCHA or use patterns that can be broken without using OCR. In addition,except for CAPTCHA patterns used by three websites, including Blogfa.com, Varzesh3com and Persianblog.com, other patterns used by Iranian popular websites were broken by two approaches of Captcha Sniper and GSA Captcha Breaker with 15 to 96 percent success rate. In the end, some corrective suggestions were proposed to fix the existing vulnerabilities, and a safe Persian CAPTCHA was suggested based on them, which has a high readability for human user due to the use of a Persian dictionary. In addition, considering the specific security features of this new CAPTCHA pattern, even in case of relative development of Persian OCR solutions, it is unlikely to break this CAPTCHA.