How does Google reCAPTCHA v2 work behind the scenes

Question

This post refers to Google ReCaptcha v2  not the latest version   Recently Google introduced a simplified  captcha  verification system  video  that enables users to pass the  captcha  just by clicking on it   But how can it differentiate a bot from a person just by a click   As per this answer   assuming a similar implementation   at first  recaptcha  generates a hidden key and attaches it to a hidden input element and also lazily renders a check box  not an actual check box input but a div  with the same key which when clicked  sends an asynchronous request  XHR  to the Google backend servers to mark it as a valid verification key  i e  a key that has to be validated when the form is submitted    But why can t bots automate that click  at least  browser-based bots    How might this work

User · Answer

A new paper has been released with several tests against reCAPTCHA:

https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf

Some highlights:

By keeping a cookie active for +9 days (by browsing sites with Google resources), you can then pass reCAPTCHA by only clicking the checkbox;
There are no restrictions based on requests per IP;
The browser's user agent must be real, and Google run tests against your environment to ensure it matches the user agent;
Google tests if the browser can render a Canvas;
Screen resolution and mouse events don't affect the results;

Google has already fixed the cookie vulnerability and is probably restricting some behaviors based on IPs.

Another interesting finding is that Google runs a VM in JavaScript that obfuscates much of reCAPTCHA code and behavior. This VM is known as botguard and is used to protect other services besides reCAPTCHA:

https://github.com/neuroradiology/InsideReCaptcha

UPDATE 2017

A recent paper (from August) was published on WOOT 2017 achieving 85% accuracy in solving noCAPTCHA reCAPTCHA audio challenges:

http://uncaptcha.cs.umd.edu/papers/uncaptcha_woot17.pdf

UPDATE 2018

Google is introducing reCAPTCHA v3, which looks like a "human score prediction engine" that is calibrated per website. It can be installed into different pages of a website (working like a Google Analytics script) to help reCAPTCHA and the website owner to understand the behaviour of humans vs. bots before filling a reCAPTCHA.

https://www.google.com/recaptcha/intro/v3beta.html

User · Answer

My Bots are running well against ReCaptcha   Here my Solution   Let your Bot do this Steps   First write a Human Mouse Move Function to move your Mouse like a B-Spline  Ask me for Source Code   This is the most important Point   Also use for better results a VPN like https   www purevpn com  For every Recpatcha do these Steps    If you use VPN switch IP first Clear all Browser Cookies Clear all Browser Cache Set one of these Useragents by Random    a  Mozilla 5 0  compatible  MSIE 9 0  Windows NT 6 1  Trident 5 0   b  Mozilla 5 0  Windows NT 6 1  WOW64  rv 44 0  Gecko 20100101 Firefox 44 0   5 Move your Mouse with the Human Mouse Move Funktion from a RandomPoint into the I am not a Robot Image every time with different 10x10 Randomrange   Then Click ever with random delay between   WM LBUTTONDOWN  and  WM LBUTTONUP Take Screenshot from Image Captcha Send Screenshot to   http   www deathbycaptcha com  or   https   2captcha com   and let they solve    After receiving click cooridinates from captcha solver use your Human Mouse move Funktion to move and Click Recaptcha Images Use your Human Mouse Move Funktion to move and Click to the Recaptcha Verify Button   In 75  all trys Recaptcha will solved  Chears Google  Tom

User · Answer

Please remember that Google also use reCaptcha together with  Canvas fingerprinting    to uniquely recognize User Browsers without cookies

User · Answer

May I present my guess  since this is not a open technology   Google says it s about combing information from before  during  after to distinguish human from robot  But I am more interested about that final click on the check box   Say  the POST data  solved CAPTCHA  has a field called fingerprint  a string calculated from user behavior  I think there may be a field about that check box location  I guess this check box is in a coordinate system randomly generated by Google back-end and encrypted by the public key of my site  So  a robot may  guess calculate  a location about this box  but when site owner makes the GET query with private key to verify user identity  Google will decrypt the coordinate system and say if the user click on the right place  So  only one possible right click with some offsets  it s a square box  location in this random coordinate system owned by only Google and site owners

User · Answer

This is speculation  but based on Google s reference to the  risk analysis engine  they use  http   googleonlinesecurity blogspot com 2014 12 are-you-robot-introducing-no-captcha html   I would assume it looks at how you behaved prior to clicking  how your cursor moved on its way to the check  organic path acceleration   which part of the checkbox was clicked  random places  or dead on center every time   browser fingerprint  Google cookies  amp  contents  click location history tied to your fingerprint or account if it detects one etc    It s fairly difficult to fake  organic  behavior in such a way that it would fool a continuously learning pattern detection engine  In the cases where it s not sure  it still prompts you to match an actual CAPTCHA string

[captcha] How does Google reCAPTCHA v2 work behind the scenes?

Examples related to captcha

Examples related to recaptcha