验证码是一种区分计算机和人类的安全技术，现在被大部分网站应用最多的是基于文本的图形验证码。正当很多基于文本的图形验证码被成功破解时，空心验证码作为最新颖的验证码设计之一，现已被各大网站应用到其用户登陆，邮箱注册，论坛评论等功能中，如雅虎、腾讯、新浪、中国移动和百度。空心验证码的一个主要特点是使用轮廓线形成连接的空心字符，同时达到了提高安全性和可用性的目标。现在的验证码破解技术很难分割和识别字符粘连的验证码，但是实心的字符粘连验证码会对人类的识别产生干扰，使用户的体验下降。而空心验证码，字符依旧是粘连的，但当人类识别时，却没有产生负面影响。在本文中，我们初步分析了空心验证码“健壮性”。介绍了一种简单而新颖的破解方法，使用颜色填充算法得到空心字符内部的笔画碎片，再将字符碎片重新组合，使用卷积神经网络对碎片组合成的字符进行识别并且得到相似度，最后使用图搜索的方法得到最优的碎片组合结果，从而成功的破解了空心验证码。本文中的验证码破解方法突破了传统的预处理，切分，识别的验证码破解三大步骤，在预处理之后，将切分和识别结合起来，以识别的相似度作为切分的依据，这在验证码破解领域是革命性的创新。本文中的方法可以成功地破解各类空心验证码，包括那些已经被大型网站应用的空心验证码，对雅虎、腾讯、新浪、中国移动和百度的空心验证码识别成功率分别达到36%、89%、59%、66%和51%。对当前空心验证码设计的安全性提出了质疑，除此之外，通过分析空心验证码的安全性得到经验教训，本文为设计出更好的验证码提出了的一些建议和意见。

CAPTCHA is now a standard security technology for differentiating between computers and humans, and the most widely deployed schemes are text-based. While many text schemes have been broken, hollow CAPTCHAs have emerged as one of the latest designs, and they have been deployed by major companies such as Yahoo!, Tencent, Sina, China Mobile and Baidu. A main feature of such schemes is to use contour lines to form connected hollow characters with the aim of improving security and usability simultaneously, as it is hard for standard techniques to segment and recognize such connected characters, which are however easy to human eyes. In this paper, we provide the first analysis of hollow CAPTCHAs’ robustness. We show a simple but novel attack. Use color filling algorithm to get the chunks of the hollow character strokes, and then reassemble chunks of characters. Use convolution neural network combining chunks into the character to get the recognition result and the similarity. And graph search methods are used to get the optimal combination results, thus the hollow CAPTCHA is cracked successfully. The cracking method in this paper breaks the traditional three steps of cracking CAPTCHA: preprocessing, segmentation, identification. After preprocessing, the segmentation and recognition are combined, the similarity of identify is the basis for segmentation, this is a revolutionary innovation in the field of CAPTCHA to crack.We successfully break a whole family of hollow CAPTCHAs, including those deployed by all the major companies such as Yahoo!, Tencent, Sina, China Mobile and Baidu, and the success rate reach to 36%, 89, 59%, 66%, 51% respectively. While our attack casts serious doubt on the viability of current designs, we offer lessons and guidelines for designing better hollow CAPTCHAs.