

Sorry Google, No CAPTCHA ReCAPTCHA Doesn’t Stop Bots - trextrex
http://www.shieldsquare.com/blog/sorry-google-captcha-recaptcha-doesnt-stop-bots/

======
miralabs
"What does this mean for bots? Now bots can use an OCR tool to solve the
information or require somebody to solve the image initially, post which, the
bot can retain the cookies and continue scraping!"

They did not tried if this works though. I mean the team that implemented the
new Google captcha won't be that dumb. They would have known this as a flaw..

~~~
nieve
Sadly the idea that some set of people won't have been dumb enough to make a
fundamental security mistake is almost never useful. Security is too complex,
people are too prone to overlooking aspects other than what they're working
on, and the likelihood of a group of developers or researchers spotting a flaw
in their own work doesn't scale even close to linearly. It's a bit like
presuming no-one needs prose copyedited because they'll pay attention - you'll
overlook some mistakes in your own writing because you see what you know must
be there, not what you actually typed.

Assuming people have written secure code because they're the kind of people
who wouldn't make a mistake is a sucker bet.

------
uxp
I just saw this new recaptcha implementation on another site and spent about a
full minute playing with it. If you mouse over the checkbox and click it, if
you move your mouse while the spinner is "working" it magically confirms that
you are a human. If you click it and don't move, it asks you to solve an image
captcha, presumably to detect programatic click events. Coupled with the
cookie store, I don't see how this is any better. I give it 2 weeks before
it's just another hoop for bots and two more hoops for humans to deal with.

------
taksintik
Nothing can stop a persistent threat. This version is supposed to slow down
threats without being annoying to 'real' humans. Prefer v2 over v1 all day.

------
homakov
Nice copypaste of my article :)

~~~
hobs
What/where is your article?

~~~
homakov
This one [http://homakov.blogspot.com/2014/12/the-no-captcha-
problem.h...](http://homakov.blogspot.com/2014/12/the-no-captcha-problem.html)
they also link my PoC in the end. Instead of linking "the source"?

~~~
hobs
Thanks for the link, I must have missed it in the above post. Nice work, Egor.

------
SoftwareMaven
That removing the cookie resets the captcha is hardly evidence only the cookie
is being used as evidence. They were humans using the captcha and Google
recognized it. I would imagine a few bot requests would be allowed to follow a
human solution since you've raised the "I'm a human" value pretty high, but
that value would decrease on every request.

------
vld
Actual info about the new ReCAPTCHA at
[https://github.com/neuroradiology/InsideReCaptcha](https://github.com/neuroradiology/InsideReCaptcha)
(original discussion:
[https://news.ycombinator.com/item?id=8722846](https://news.ycombinator.com/item?id=8722846))

------
towelguy
> * The next time you visit the page, or any page which requires you to pass
> reCAPTCHA, the information from these cookies is used to identify whether
> you have passed the test before.

This is wrong. Try posting a few times in 4chan, even if it recognizes you as
a human, after posting a bit more it will ask for the captcha anyway.

------
atoponce
This isn't surprising, actually. If you want to prove data is coming from a
human, then you need to involve a proof of work system, like the guided tour
puzzle or a Hashcash-like implementation, or both.

~~~
uptown
Encountered one yesterday that required me to assemble a jigsaw puzzle.
Approached the threshold of not being worth the effort.

~~~
towelguy
Google's NoCaptcha required me once to select the cakes in a grid of 9 images.
Only once, never again. I wonder if they were testing it or they have a rate
between using text and images.

------
steventhedev
Sounds like Google isn't doing any validation beyond checking that the token
is valid. At the very least, they should consider adding validation against
various accounts (if any), the IPs associated with the token, and a few
others. It sounds like it would help to reduce the false positive rate.

As for a bot getting a human to "seed" it, there isn't much they can do aside
from throttling the rate of automatic passes to once every 20 seconds or so.
They could tune that parameter to balance between usability and bot detection.

