GitHub user reverse engineered Google's new “captchaless” ReCaptcha system

[wtf_are_my_initials]

Original article:

 

https://github.com/ReCaptchaReverser/InsideReCaptcha

 

Technical Highlights:

• To obfuscate the code, Google created a new VM based language run inside Javascript
• The code run in this VM is encrypted
• The encrypted code can dynamically change it's own encryption key at runtime
• The VM code can also dynamically change what VM instructions do​

What data Google collects:

• Browser Plug-Ins
• User-Agent
• Screen resolution
• Timestamp
• Time zone
• Cookies
• Number of click/keyboard/touch actions
• Known browser-specific CSS quirks
• Tests HTML5 canvas support

 

EDIT1: Remove duplicate item

[ZacDaMan72]

lol gg google

[TheSLSAMG]

Just queueing you in, screen res is listed twice.

[AlexGoesHigh]

so does this mean this guy just gave a cheat sheet for bots to pass this captcha and make it useless?

[Jade]

Huh. Cool stuff.

[wtf_are_my_initials]

so does this mean this guy just gave a cheat sheet for bots to pass this captcha and make it useless?

Since the verification is done server-side, we may never know the exact requirements to pass the test.

All this has done is discover what data is collected on the client side, and how it is sent back to Google.

[dragosudeki]

Pretty neat. As far as I read in the github Summary, he hasn't completely figured how it completely works, but has the idea. Might be a matter of time before someone is able to bypass it by sending a bytecode.

[Snickerzz]

so does this mean this guy just gave a cheat sheet for bots to pass this captcha and make it useless?

 

 

Since the verification is done server-side, we may never know the exact requirements to pass the test.

All this has done is discover what data is collected on the client side, and how it is sent back to Google.

 

even if a cheat sheet was released im sure the algorithms would change so quickly it would be useless to try and keep the bot uptodate. just like trying to get your site listed higher in google search results... the algorithms change so rapidly that anything you do to try and exploit them wont work the next day

[Guest]

Even though Google is probably trying to clone America with the info they collect, they're still better than most other companies in similar spaces.

[qwertywarrior]

• Browser Plug-Ins
• User-Agent
• Screen resolution
• Timestamp
• Time zone
• Cookies

 

hmm this is worrying many privacy based OSes that come with TOR have these settings exactly the same

example would be Whonix - i wonder if it would be called a bot

[wtf_are_my_initials]

hmm this is worrying many privacy based OSes that come with TOR have these settings exactly the same

example would be Whonix - i wonder if it would be called a bot

If it thinks you're a bot, it just asks you to complete a traditional warped-test captcha.

[qwertywarrior]

If it thinks you're a bot, it just asks you to complete a traditional warped-test captcha.

i thought it requires an email ?

[Beskamir]

Well that's one way Google can find out what they need to do to make their services better I guess. Although I'd much rather a voluntary survey than a forced one...

[patrickjp93]

Since the verification is done server-side, we may never know the exact requirements to pass the test.

All this has done is discover what data is collected on the client side, and how it is sent back to Google.

Which means you can extrapolate what the tests are and eventually crack the system. Google really screwed the pooch on this one.

[Kingofpants]

i thought it requires an email ?

Nope. If you fool it into thinking your a bot , its a simple captcha.

And fooling it isn't even difficult.

[Kingofpants]

Which means you can extrapolate what the tests are and eventually crack the system. Google really screwed the pooch on this one.

Well mabye its a server thing to stop bots. So if suddenly a whole bunch of requests come in systymatically , Then it is very strict on the human testing.

But really, there is no way to make a fool proof captcha since bots are becoming better at being human then humans.

I mean they already read Captchas better than humans.

[Blue fellow]

Even though Google is probably trying to clone America with the info they collect, they're still better than most other companies in similar spaces.

 

I disagree, I think Google is just as bad as anyone else. They're a marketing/ad company first and I'd trust companies like Microsoft more with personal data.

[Mattk50]

I disagree, I think Google is just as bad as anyone else. They're a marketing/ad company first and I'd trust companies like Microsoft more with personal data.

I mistrust Microsoft for their incompetence and Google more for potential malice.

[wtf_are_my_initials]

I mistrust Microsoft for their incompetence and Google more for potential malice.

Found my senior yearbook quote.

[Fetzie]

i thought it requires an email ?

 

The email in the announcement was because the captcha was for a forum sign-up or something. You won't need an email address.

[yoloswag9000]

If it thinks you're a bot, it just asks you to complete a traditional warped-test captcha.

One day they will turn off the traditional captchas because they don't work (that's the reason they gave for inventing the "captchless" system). Then you can choose between letting google spy on you and not using any service with "captchless" protection.

 

Also, github repo seems to be down. Looks like someone didn't like their secret spying machine being reversed.

 

edit: Yup, google doesn't like it!

The code you reversed is used to protect many sites’ registration process including Google and many others. We are concerned that having your code and analysis publicly available will make it easier to build registration automation tools which will result in a surge of spam in all the services protected by this code and will affect negatively many Internet users.

This is why we kindly ask you to temporarily remove it from GitHub so your work won’t be used for a malicious purpose which we believe was never your intended goal.

http://www.reddit.com/r/netsec/comments/2or9e3/reverseengineering_the_new_captchaless_recaptcha/cmqna04

 

Got to love Google. Fucktards. Captcha didn't work, Captcha doesn't work, Captcha will never work.

[linusforsell]

Well... that list of data collected looks identical to (if not shorter than) the data that just about every page on the globe collect from users through the Analytics script. Fun stuff to know of nonetheless.

[Colonel_Gerdauf]

Just as I thought; Google has to "learn" about you to figure out if you are a robot. This seems to put the users at an ultimatum, giving up precious data to the advertisers (and the likes of the NSA), or do not bother registering for anything potentially useful ever again. And with the security tools (rightfully) blocking it, it only adds to the problem.

 

And I was wondering why it was not showing up on my browsers...

[yoloswag9000]

Well... that list of data collected looks identical to (if not shorter than) the data that just about every page on the globe collect from users through the Analytics script. Fun stuff to know of nonetheless.

Which you can easily block. Try blocking the captcha if you want to use the service "protected" by the captcha.

 

Also, found a mirror (https://github.com/toogle/InsideReCaptcha) and pulled the code locally.