Google's No Captcha reCaptcha Breakable?

blogs captcha clickjacking flaws google reblogs security vulns

Egor Homakov of Sakurity claims, I’d say proved, that Google’s No Captcha reCaptcha might not be as bot proof as we thought.

Google-checkbox-Recaptcha_anchor@2x[1]

Due to reCAPTCHA’s reliance on user’s previous behavior (cookies), going incognito brings you to old school Captcha again.CAPTCHA[1] Now remember, this is same captcha Google said, and we agree, is not secure anymore.

How about “mobile friendly” recognize-similar-picture Captcha? turkey_captcha[1]Egor re-iterates “bots can do that”. Not just bots,

Egor claims, this hurdle can be come over by low salaried workers or even g-recaptcha-response bots. Basically, in Egor’s words, “Abusing clickjacking we can make the user (a good guy) generate g-recaptcha-response for us – make a click (demo bot for wordpress). Then we can use this g-recaptcha-response to make a valid request to the victim (from our server or from user’s browser).” Do check out Egor’s demo bot that resolves those new and shiny reCAPTCHAs without a hiccup.

Until we see a resolution to these concerns, it is recommended to not jump onto Google’s nocaptcha recaptcha train.

The author would love to hear your comments. Let us discuss at Twitter @qasimchadhar.