Student Research Lagniappe
11:30 AM – 1:30 PM | PFT 1246
Characterizing and Measuring In-the-Wild CAPTCHA Attacks
Abstract
In this paper, we design and implement C-FRAME, the first measurement system to collect real-time, in-the-wild data on modern CAPTCHA attacks. For this, we study the recent evolution in the protocols of CAPTCHAs as well as human-driven farms that facilitate attacks against CAPTCHAs. This study leads us directly to the discovery of a unique vantage point to conduct a global-scale CAPTCHA attack measurement study. Harnessing this, we design and build C-FRAME to be CAPTCHA-agnostic and ethically considerate. We then deploy our system for a 92-day period resulting in capturing of 425,257 CAPTCHA attacks on 1,417 sites.
In order to characterize these attacks, we leverage a carefully designed qualitative analysis approach using three analysts. Our study results in delineation of 34 different CAPTCHA-attack categories with several interesting real-world attack examples. Twitter received the largest number of CAPTCHA attacks overall (about 255,480 attack requests), most of which attempt to create bot accounts. We also categorized and captured attacks such as ticket scalping attempts (e.g., a Taylor Swift concert event in Brazil), fraudulent lawsuit claims, and abusive appointment booking attempts (e.g., a Spain visa site in China). We also found CAPTCHA-assisted attempts to download data from government websites (e.g., websites of 20 US states). We ascribe our attacks to 58 different countries across 5 continents. We present a detailed measurement analysis to give insights on this attack data and also suggest some future potential remediation measures that can be inspired by our system.
Hoang Dai Nguyen
Lousiana State University
A Study of Google Play’s Closed Testing Requirements for New Personal Developer Accounts
Abstract
In November 2023, Google Play introduced new closed testing requirements for apps submitted by developers operating with personal accounts, or indie app developers. These requirements mandate that at least 20 testers must remain opted-in (use the app) for at least 14 consecutive days before the app can be published on the Play Store. According to Google, these new requirements aim to ensure the quality and security of submitted apps. However, for individual developers operating without organizational support, adhering to such requirements can pose logistic challenges and lead to significant production delays.
To understand these challenges, in this paper, we qualitatively analyze app developers’ discussions of the new Google Play closed testing requirements on Reddit. Additionally, we conducted interviews with 12 indie app developers seeking to adhere to the requirements. Our results show that the new testing requirements are commonly perceived as discriminatory, imposing logistic and bureaucratic barriers on small-scale creators in their quest to compete in the mobile app market. Our analysis also uncovers the various strategies the Android developer community has adopted to navigate such requirements. Based on our findings, we propose several guidelines to help indie app developers integrate the new testing requirements into their workflow. We further suggest various design strategies to mitigate the impact of such requirements on innovation, fairness, and competition in the mobile app market.
