Google’s new bot prevention reCaptcha may not be as sophisticated as promised.
In a blog post today, security company Shield Square wrote that the Google algorithm may be fairly easy for bots to bypass, echoing similar sentiments from Sakurity consultant Egor Homakov aired earlier this month.
Google launched its new bot-detecting Captcha form called No Captcha reCaptchas on Dec. 3. The technology replaces the Captcha test, which requires you to replicate in plain text a gnarled series of letters and numbers, with a simple check box. The company said the new, simple interface is more secure than the old Captcha because it analyzes user behavior to determine whether they are a person or a bot.
To reduce the number of times that users have to interface with No Captcha, the algorithm only makes users take the test once. Next time they visit the site, No Captcha won’t appear — unless the user regularly clears their cookies, in which case they’ll have to retake the Captcha every time they do so.
Shield Square asserts that Google’s reliance on cookies creates a problem. For bots to pass the reCaptcha, all they have to do is store the relevant cookies for the website they’re looking to access. Alternatively, bots could use an optical character recognition tool to solve the puzzle in the first place, allowing continued access to the site.
Read on Google’s No Captcha reCaptchas may not be as bot-proof as we thought