Hacker News new | comments | show | ask | jobs | submit login
Sorry Google, No CAPTCHA ReCAPTCHA Doesn’t Stop Bots (shieldsquare.com)
39 points by trextrex on Dec 24, 2014 | hide | past | web | favorite | 19 comments

"What does this mean for bots? Now bots can use an OCR tool to solve the information or require somebody to solve the image initially, post which, the bot can retain the cookies and continue scraping!"

They did not tried if this works though. I mean the team that implemented the new Google captcha won't be that dumb. They would have known this as a flaw..

Sadly the idea that some set of people won't have been dumb enough to make a fundamental security mistake is almost never useful. Security is too complex, people are too prone to overlooking aspects other than what they're working on, and the likelihood of a group of developers or researchers spotting a flaw in their own work doesn't scale even close to linearly. It's a bit like presuming no-one needs prose copyedited because they'll pay attention - you'll overlook some mistakes in your own writing because you see what you know must be there, not what you actually typed.

Assuming people have written secure code because they're the kind of people who wouldn't make a mistake is a sucker bet.

I just saw this new recaptcha implementation on another site and spent about a full minute playing with it. If you mouse over the checkbox and click it, if you move your mouse while the spinner is "working" it magically confirms that you are a human. If you click it and don't move, it asks you to solve an image captcha, presumably to detect programatic click events. Coupled with the cookie store, I don't see how this is any better. I give it 2 weeks before it's just another hoop for bots and two more hoops for humans to deal with.

Nothing can stop a persistent threat. This version is supposed to slow down threats without being annoying to 'real' humans. Prefer v2 over v1 all day.

Nice copypaste of my article :)

BTW, clickjacking was fixed few weeks ago and http://homakov.github.io/nocaptcha.html isn't working anymore.

Hi Homakov,

Our post was inspired from yours. We have added to the link to your original blog post now. Good one!

Updated here: http://www.shieldsquare.com/blog/sorry-google-captcha-recapt...

What/where is your article?

This one http://homakov.blogspot.com/2014/12/the-no-captcha-problem.h... they also link my PoC in the end. Instead of linking "the source"?

Thanks for the link, I must have missed it in the above post. Nice work, Egor.

That removing the cookie resets the captcha is hardly evidence only the cookie is being used as evidence. They were humans using the captcha and Google recognized it. I would imagine a few bot requests would be allowed to follow a human solution since you've raised the "I'm a human" value pretty high, but that value would decrease on every request.

Actual info about the new ReCAPTCHA at https://github.com/neuroradiology/InsideReCaptcha (original discussion: https://news.ycombinator.com/item?id=8722846)

> * The next time you visit the page, or any page which requires you to pass reCAPTCHA, the information from these cookies is used to identify whether you have passed the test before.

This is wrong. Try posting a few times in 4chan, even if it recognizes you as a human, after posting a bit more it will ask for the captcha anyway.

This isn't surprising, actually. If you want to prove data is coming from a human, then you need to involve a proof of work system, like the guided tour puzzle or a Hashcash-like implementation, or both.

Encountered one yesterday that required me to assemble a jigsaw puzzle. Approached the threshold of not being worth the effort.

Google's NoCaptcha required me once to select the cakes in a grid of 9 images. Only once, never again. I wonder if they were testing it or they have a rate between using text and images.

Sounds like Google isn't doing any validation beyond checking that the token is valid. At the very least, they should consider adding validation against various accounts (if any), the IPs associated with the token, and a few others. It sounds like it would help to reduce the false positive rate.

As for a bot getting a human to "seed" it, there isn't much they can do aside from throttling the rate of automatic passes to once every 20 seconds or so. They could tune that parameter to balance between usability and bot detection.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact