Thursday, December 4, 2014

The No CAPTCHA problem

When I read about No CAPTCHA for the first time I was really excited. Did we finally find a better solution? Hashcash? Or what?

Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration page successfully using No CAPTCHA.

Now let's open it in incognito tab... Wait, annoying CAPTCHA again? But i'm a human!

So what Google is trying to sell us as a comprehensive bot detecting algorithm is simply a whitelist based on your previous online behavior, CAPTCHAs you solved. Essentially - your cookies. Under the hood they replaced challenge/response pairs with token "g-recaptcha-response". Good guys get it "for free", bad guys still have to solve a challenge.

Does it make bot's job harder? No at all. The legacy flow is still available and old OCR bots can keep recognizing.

But what about new "find a similar image" challenges? Bots can't do that!
As long as $1 per hour is ok for many people in 3rd world, bots won't need to solve new challenges. No matter how complex they are, bots simply need to get the JS code of challenge, show it to another human being (working for cheap or just a visitor on popular websites) and use the answer that human provided.

The thing is No CAPTCHA actually introduces a new weakness!

Abusing clickjacking we can make the user (a good guy) generate g-recaptcha-response for us - make a click (demo bot for wordpress). Then we can use this g-recaptcha-response to make a valid request to the victim (from our server or from user's browser).

It's pretty much a serious weakness of new reCAPTCHA - instead of making everyone recognize those images we can make a bunch of good "trustworthy" users generate g-recaptcha-response-s for us. Bot's job just got easier!

You're probably surprised, how can we use 3rd party data-sitekey on our website?
Don't be - the Referrer-based protection was pretty easy to bypass with <meta name="referrer" content="never">.

P.S. Many developers still think you need to wait a while to get a new challenge.
In fact you can prepare as many challenges as you want and then start spaming later. It's another reCAPTCHA weakness that will never be fixed.


  1. Getting
    "ERROR: Invalid domain for site key"


    1. you're using an outdated browser? Read the last paragraph - we need referrer=never to bypass their "protection"

    2. I got that error too and I'm using Firefox.

    3. hmm maybe because i don't use proper markup. Anyway it *is* solvable, there's always a way to kill referer, we can use data:text/html after all. For demonstration please use chrome :)

    4. yep, works in chrome. Used FireFox 33.1 before.

  2. Why don't they require referrer headers to be present and to match the domain, rather than only checking for a mismatch if they are present -- too many addons/proxies that strip them?

  3. They don't do image likeness ones because generating those data sets is very complex and that cat one, while cute, probably took a day to create, and would take a spammer like 2 minutes to be able to handle that particular question if it comes up in the future.

  4. This might interest you:

  5. How i can activate it on

  6. According to my tests this works fine for like 3/4 consecutive times a given "good-guy" user solves a captcha. Then it seems to show me a captcha always. If this is the case, this technique is almost worthless for me.. Need too many good guy users to do any decent spam

  7. Hello, I have problem with "Invalid domain" on Chrome 43.0.2357.130 m

  8. This "Invalid domain" bypass doesn't seem to work anymore.