Google reCAPTCHA Fooled By Bot

CAPTCHA, or Completely Automated Procedures for Telling Computers and Humans Apart, was a system first theorized by cryptographer Alan Turing in 1950.  We find these little “I am not a robot” challenges popping up all over the place, especially when creating a new account, registering for a web service the first time, or sometimes as form of poor man’s two-factor authentication.  (Something I am? = I am not a robot)  Some of the simpler tests involved looking at an image of a word or two, and then typing the words into a text box.  These tests are supposed to distinguish between a human and a computer automated script or bot.

Google provides three different types of reCAPTCHA tests.  They are:

  • The Image Challenge – this is where you have to match all the pictures with a storefront, or all the pictures that contain signs.
  • The Text Challenge – when you have to pick all the phrases that match a certain category.
  • The Audio Challenge – this is when you select the microphone icon to have a word or set of numbers read to you, and then you enter them into a text box.

As it turns out, some of these Turing tests have been beaten by scripts and bots, and no longer truly secure against bots.  The irony is that some of Google’s own tools have made this possible.  Last year the image challenge fell to a bot that used Google Images to find which images in the challenge matched certain category words.

The latest bot works by requesting the audio challenge regardless of which test is presented, and then once the audio challenge is available, downloading the audio file and using Google’s speech recognition tools to translate into text, which the bot then enters in the text box.  For more technical details, see the Naked Security article below.

Google is working on an upgraded test called Invisible reCAPTCHA, that actually compares the mouse movements of a human to the movements that would be provided by a bot to distinguish between computers and humans.  If you are using a Google reCAPTCHA on your web site, you may want to upgrade a s soon as possible.

More information:


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.