Google recently released a new tool for website owners called CAPTCHA reCAPTCHA. Google claims that if a site owner uses their CAPTCHA reCAPTCHA tool, it will be able to distinguish between a human and a bot:
Protect your website from spam and abuse while letting real people pass through with ease…
Google claims that they “went back to the lab” and reinvented the captcha process, and this one is “more secure” according to their YouTube video (which I have embedded below):
Well, according to Egor Homakov, Google’s new CAPTCHA reCAPTCHA is seriously flawed. It turns out that “bots can use an OCR tool to solve the information or require somebody to solve the image initially, post which, the bot can retain the cookies and continue scraping!” according to ShieldSquare.
Mr. Homakov explains that Google’s new CAPTCHA reCAPTCHA is flawed. “The thing is No CAPTCHA actually introduces a new weakness!”
It’s pretty much a serious weakness of new reCAPTCHA – instead of making everyone recognize those images we can make a bunch of good “trustworthy” users generate g-recaptcha-response-s for us. Bot’s job just got easier!
It turns out that Google’s CAPTCHA reCAPTCHA can be bypassed by another technique, using the website’s public key. Mr. Homakov explains how this is done, and even wrote code to do it on GitHub (which since has been removed).
Now if that’s isn’t a Christmas present for the spammers…. Merry Christmas!