Monday, March 20, 2017

Monday tech: Bypassing Google ReCaptcha 2.0

Hi everyone
Last week I talked about cracking regular CAPTCHAs, but the world is moving on to a more user friendly mechanisms, so this week I want to discuss Google ReCAPTCHA 2.0 bypassing.

2 and a half years ago at December 2014, Google made a (yet another) revolution, this time in the world of CAPTCHA. Till then, everyone used the deformed-letters CAPTCHAs classic method as pretty much the only common way to tell humans and bots apart. This (as well as audio-CAPTCHAs) was the only common way. Google used it in ReCAPTCHA version 1.0.

But Google knows a lot about us, our identity and surf habits, and they decided to use this information in order to create a No-CAPTCHA ReCAPTCHA risk analysis engine, which calculates multiple factors such as user behavior attributes, location, threshold, identity attributes (for signed-in Google accounts), browsing history and others, in order to decide whether to let the user continue without solving any challenge, or to show a visual or audio challenge. This ultimately uses cookies for both logged in and unauthenticated users.
This engine is risk based and therefor bots and bypass it with some degree of success. Bots can also bypass poor classic CAPTCHAs using OCR (optical character recognition), but the big question was: is Google’s ReCAPTCHA 2.0 is less secured?
As soon as Google published the new mechanism, hackers and researchers started testing it and finding multiple ways to bypass it.
For example:

This research uses both multiple tools including valid cookie creation, deep learning, reverse image search. Deep learning and artificial intelligence for solving reCAPTCHA 2.0 are algorithms that automatically identify an image’s content. There are multiple services that allows you to do it, one even ironically include Google’s own services in the Google reverse image search technique: You take the ReCAPTCHA 2.0 image and send it to Google in order to get keywords describing the image, titles from pages containing the image, higher resolution images and translation of non-English pages to English.
Recently a new similar technique was published, that uses Google voice recognition engine in order to bypass the audio CAPTCHA of ReCAPTCHA 2.0:

So the bottom line: Is ReCAPTCHA 2.0 more human friendly? Definitely. But is it more secured than regular CAPTCHA? Depending on the exact implantation, but if you compare it to ReCAPTCHA 1.0 - probably not.
But as in many cases, you need to find the balance between usability and security, and since the regular malformed characters CAPTCHAs are not usable, ReCAPTCHA 2.0 is a reasonable solution we can safely recommend. The future of bot-humans separation is rapidly moving to risk-based algorithms, and Google and also Facebook lead the way.

Google keeps learning from the new bypassing techniques that are published from time to time, and they keep improving their algorithms.
But even if Google will solve the latest ReCAPTCHA bypassing techniques, people will still want to bypass CAPTCHAs and ReCAPTCHA 2.0 specifically, and still offer payment to bypass it.
In if there is a demand, someone will fill in this demand.
Here is a ReCAPTCHA bypass service that offers 1000 CAPTCHAs bypass for as little as 1.2-3$, that has no patch. Why? Because the CAPTCHAs are actually solved by humans.
And there’s no solution for humans-based solving services.

Have a great week

Gil Cohen