Google reCAPTCHA Fooled By Bot

CAPTCHA, or Completely Automated Procedures for Telling Computers and Humans Apart, was a system first theorized by cryptographer Alan Turing in 1950.  We find these little “I am not a robot” challenges popping up all over the place, especially when creating a new account, registering for a web service the first time, or sometimes as form of poor man’s two-factor authentication.  (Something I am? = I am not a robot)  Some of the simpler tests involved looking at an image of a word or two, and then typing the words into a text box.  These tests are supposed to distinguish between a human and a computer automated script or bot.

Google provides three different types of reCAPTCHA tests.  They are:

  • The Image Challenge – this is where you have to match all the pictures with a storefront, or all the pictures that contain signs.
  • The Text Challenge – when you have to pick all the phrases that match a certain category.
  • The Audio Challenge – this is when you select the microphone icon to have a word or set of numbers read to you, and then you enter them into a text box.

As it turns out, some of these Turing tests have been beaten by scripts and bots, and no longer truly secure against bots.  The irony is that some of Google’s own tools have made this possible.  Last year the image challenge fell to a bot that used Google Images to find which images in the challenge matched certain category words.

The latest bot works by requesting the audio challenge regardless of which test is presented, and then once the audio challenge is available, downloading the audio file and using Google’s speech recognition tools to translate into text, which the bot then enters in the text box.  For more technical details, see the Naked Security article below.

Google is working on an upgraded test called Invisible reCAPTCHA, that actually compares the mouse movements of a human to the movements that would be provided by a bot to distinguish between computers and humans.  If you are using a Google reCAPTCHA on your web site, you may want to upgrade a s soon as possible.

More information:


About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.