Hi everyone
Last week I talked about cracking regular CAPTCHAs, but the world is moving on to a more user friendly mechanisms, so this week I want to discuss Google ReCAPTCHA 2.0 bypassing.
2 and a half years ago at December 2014, Google made a (yet another)
revolution, this time in the world of CAPTCHA. Till then, everyone used the
deformed-letters CAPTCHAs classic method as pretty much the only common way to
tell humans and bots apart. This (as well as audio-CAPTCHAs) was the only
common way. Google used it in ReCAPTCHA version 1.0.
But Google knows a
lot about us, our identity and surf habits, and they decided to use this
information in order to create a No-CAPTCHA ReCAPTCHA risk analysis engine,
which calculates multiple factors such as user behavior attributes, location,
threshold, identity attributes (for signed-in Google accounts), browsing
history and others, in order to decide whether to let the user continue without
solving any challenge, or to show a visual or audio challenge. This ultimately
uses Google.com cookies for both logged in and unauthenticated users.
This engine is risk based and therefor bots and bypass it
with some degree of success. Bots can also bypass poor classic CAPTCHAs using OCR (optical character
recognition), but the big question was: is Google’s ReCAPTCHA 2.0 is less
secured?
As soon as Google published the new mechanism, hackers and
researchers started testing it and finding multiple ways to bypass it.
For example:
- Valid token reuse - https://www.shieldsquare.com/sorry-google-captcha-recaptcha-doesnt-stop-bots/
- ReCAPTCHA automated submission - http://devmd.com/r/bypassing-no-captcha-recaptcha-with-ubot
- A full-scale
research to mimic the cookie attributes of legitimate users to automatically
solve 50-60K captchas per day per IP address!
http://news.softpedia.com/news/google-recaptcha-cracked-in-new-automated-attack-502677.shtml
Presentation: https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA.pdf
White paper: https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf
This research uses both multiple tools including valid
cookie creation, deep learning, reverse image search. Deep learning and
artificial intelligence for solving reCAPTCHA 2.0 are algorithms that
automatically identify an image’s content. There are multiple services that
allows you to do it, one even ironically include Google’s own services in the Google
reverse image search technique: You take the ReCAPTCHA 2.0 image and send it to
Google in order to get keywords describing the image, titles from pages
containing the image, higher resolution images and translation of non-English
pages to English.
Recently a new similar technique was published, that uses
Google voice recognition engine in order to bypass the audio CAPTCHA of
ReCAPTCHA 2.0:
So the bottom line: Is ReCAPTCHA 2.0 more human friendly?
Definitely. But is it more secured than regular CAPTCHA? Depending on the exact
implantation, but if you compare it to ReCAPTCHA 1.0 - probably not.
But as in many cases, you need to find the balance between
usability and security, and since the regular malformed characters CAPTCHAs are
not usable, ReCAPTCHA 2.0 is a reasonable solution we can safely recommend. The
future of bot-humans separation is rapidly moving to risk-based algorithms, and
Google and also Facebook lead the way.
Google keeps learning from the new bypassing techniques that
are published from time to time, and they keep improving their algorithms.
But even if Google will solve the latest ReCAPTCHA bypassing
techniques, people will still want to bypass CAPTCHAs and ReCAPTCHA 2.0
specifically, and still offer payment to bypass it.
In if there is a demand, someone will fill in this demand.
Here is a ReCAPTCHA bypass service that offers 1000 CAPTCHAs
bypass for as little as 1.2-3$, that has no patch. Why? Because the CAPTCHAs
are actually solved by humans.
And there’s no solution for humans-based solving services.