Egor Homakov of Sakurity claims, I’d say proved, that Google’s No Captcha reCaptcha might not be as bot proof as we thought.

Google-checkbox-Recaptcha_anchor@2x[1]

Due to reCAPTCHA’s reliance on user’s previous behavior (cookies), going incognito brings you to old school Captcha again.CAPTCHA[1] Now remember, this is same captcha Google said, and we agree, is not secure anymore.

How about “mobile friendly” recognize-similar-picture Captcha? turkey_captcha[1]Egor re-iterates “bots can do that”. Not just bots,

Egor claims, this hurdle can be come over by low salaried workers or even g-recaptcha-response bots. Basically, in Egor’s words, “Abusing clickjacking we can make the user (a good guy) generate g-recaptcha-response for us – make a click (demo bot for wordpress). Then we can use this g-recaptcha-response to make a valid request to the victim (from our server or from user’s browser).” Do check out Egor’s demo bot that resolves those new and shiny reCAPTCHAs without a hiccup.

Until we see a resolution to these concerns, it is recommended to not jump onto Google’s nocaptcha recaptcha train.