Recognition-heavy CAPTCHAs are already fragile.
Path finding, animal selection, and image recognition tasks can be solved reliably by current MLLMs within practical retry and time budgets.
This paper studies how multimodal large language models (MLLMs) undermine the security guarantees of visual CAPTCHA. We identify the attack surface where an adversary can cheaply automate CAPTCHA solving using off-the-shelf models. We evaluate 7 representative MLLMs across 18 CaptchaWorld task types and 3 supplemental external categories, totaling 21 visual CAPTCHA task types, measuring single-shot accuracy, success under limited retries, end-to-end latency, and per-solve cost. We further validate our findings through a supplemental external dataset and an adaptive-attacker setting with session memory, while also analyzing the impact of task-specific prompt engineering and few-shot demonstrations on solver effectiveness. We reveal that MLLMs can reliably solve recognition-oriented and low-interaction CAPTCHA tasks at human-like cost and latency, whereas tasks requiring fine-grained localization, multi-step spatial reasoning, or cross-frame consistency remain significantly harder for current models.
Key findings
COGNITION evaluates seven representative multimodal LLMs on 21 visual CAPTCHA task types and 458 instances, measuring accuracy, retry behavior, latency, and per-solve cost.
Path finding, animal selection, and image recognition tasks can be solved reliably by current MLLMs within practical retry and time budgets.
Tasks requiring fine-grained localization, ordering, counting, or cross-frame consistency remain substantially harder for current models.
Adding fine-grained localization and implicit counting to Select_Animal reduced state-of-the-art MLLM success from over 95% to 0%.
Poster
This landscape poster distills the paper into a conference-style visual: research question, evaluation framework, task hardness gap, defense redesign, and artifact link.
The wide format is tuned for on-page reading, with the benchmark, hardness taxonomy, and defense validation visible at once.
The paper includes a Zenodo artifact package and is marked Artifact Evaluated - Available.
The strongest defenses shift away from simple recognition and toward spatial grounding, ordering, and counting.
Paper hub
Current publications from the CV, organized as a compact research hub.
Junyu Wang, Changjia Zhu, Yuanbo Zhou, Lingyao Li, Xu He, Mingkui Wei, and Junjie Xiong.
Artifact package associated with the accepted paper, marked Artifact Evaluated - Available.
Ongoing work on prompt overflow defenses, LLM guardrails, and LLM-as-reviewer benchmarking.
Biography
I am a PhD student in Computer Science at Missouri University of Science and Technology. My research interests include agent and agentic system security, LLM security, web security, and related areas.
Ph.D. in Computer Science at Missouri S&T, 2025-present. B.Eng. in Data Science and Big Data Technology from USST, 2021-2025.
My accepted USENIX Sec'26 paper evaluates multimodal LLM CAPTCHA solvers and derives CAPTCHA hardening guidelines.
My research interests include agent and agentic system security, LLM security, web security, and related areas.
I worked on data strategy systems at Fast Retailing (China).