Bad News, Bots Can Beat reCAPTCHA

February 23, 2017Diana Lengerson


At one time or another, everyone has had to prove they were a human online by typing a code from scribbled text or by clicking a number of required images. What are those things anyway?

This is what is known as a CAPTCHA, a “Completely Automated Public Turing test to tell Computers and Humans Apart.” It was developed to stymie bots and automated programs from using a site or service.

For example, an online sweepstakes, social media platform or ecommerce site might want to block excessive entries and account creations from automated traffic by using a CAPTCHA to weed out illegitimate users. Not to mention that hosting advertisements to bot traffic cost the ad industry an estimated $7.2 billion a year!

Unfortunately, CAPTCHA wasn’t perfect and could be circumvented by cheap human labor, bug exploits and machine learning. To combat this, Google developed reCAPTCHA, a next-generation Turing test meant to block bad bots while simultaneously improving the digitization of books and newspapers. Pretty clever, right?

Eventually, bots got pretty good at reading scrambled and distorted letters. Instead of making reCAPTCHA harder for humans, Google developed an image-based reCAPTCHA. Again, bots have learned to see images and are now passing these as well. Surely, you can see the pattern here.


So Google developed “no CAPTCHA reCAPTCHA” (how’s that for a clunky acronym?) to alleviate the strain put on human users to prove they are, well, human. No CAPTCHA reCAPTCHA is rather mysterious. With a single mouse click, the Turing test can verify your identity. But how?

There seems to be some debate here, but it appears as though no CAPTCHA reCAPTCHA differentiates human and automated users through a combination of cookies (to see if you have passed a reCAPTCHA before) and subtle mouse or keyboard behaviors that can expose nonhuman users.

Frustratingly enough, automated attacks are already finding ways to fool this system too. All it takes is a few bucks. Death by CAPTCHA is a $1.39 software program that automates thousands of solutions to popular CAPTCHA questions. When combined with Sikuli, a free software that replicates keyboard and mouse movements, it can easily overcome Google’s Turing tests.

As you can see, there is something of a digital arms race when it comes to web application security. So, is there any way to defend your website or service? Reputable cyber defense providers, like Shape Security, offer unknown pass conditions which cannot be predicted by savvy hackers or their bots.

Similarly, other companies are developing gaming CAPTCHAs, like Sweet Captcha or PlayThru, which offer more complex puzzles to stump robots. Another method is to offer text message or email verification as part of a two-step process for verifying your existence. Certainly, there are numerous other techniques out there including math CAPTCHAs, quiz CAPTCHAs, intentional delays, honeypots and more.

Of course, CAPTCHA circumvention isn’t the only way bots can bypass or harm your web application security. Businesses also need to be aware of brute force attacks that can crack passwords, DDoS attacks that can crash business operations, content scraping scams that can steal and republish proprietary information elsewhere and credential stuffing attacks that can access personal and financial accounts. In truth, there is no shortage of digital cons.

Educate yourself about the risk of operating online to better combat bad bots. You won’t regret it.


Leave a Reply

You must be logged in to post a comment.