How does Google reCAPTCHA v2 work behind the scenes?

Question

This post refers to Google ReCaptcha v2 (not the latest version)

Recently Google introduced a simplified "captcha" verification system (video) that enables users to pass the "captcha" just by clicking on it.

But how can it differentiate a bot from a person just by a click?

As per this answer, (assuming a similar implementation), at first "recaptcha" generates a hidden key and attaches it to a hidden input element and also lazily renders a check box (not an actual check box input but a div) with the same key which when clicked, sends an asynchronous request (XHR) to the Google backend servers to mark it as a valid verification key (i.e. a key that has to be validated when the form is submitted).

But why can't bots automate that click (at least, browser-based bots)?

How might this work?

Probably similar to the way they were sending simple captchas to humans, and hard captchas to bots — mukunda, Dec 04 '14 at 04:24
The way I understood it is - there still is a captcha, but unless you make suspicious requests - you will never have to solve it. — Kelm, Dec 04 '14 at 04:25
@Louie What was "stolen"? Someone asked the same question, and linked the same (and only) post—but it's worded a bit differently, and none of the answers are the same. What's more, the original Quora question was posted on December 3, a day *before* this question. What seems to be the problem? — wchargin, Feb 11 '15 at 05:42
I'm saying the answers were copy catted to Quora site. If you guys have an idea of what's going on, great. I'm just doing my part keeping an eye out of stackoverflow policy breaking site. — Louis Hong, Feb 14 '15 at 08:17
@CiroSantilli六四事件法轮功 what the heck? the link is gone — TechLife, Apr 10 '15 at 09:44
@all wait guys why are we wasting time here! when we visit a captcha enabled website we have those data offline! why dont we reverse engineer it? if it is swf object, we can decompile it, if it is Javascript thats pretty simpler. Plz do some work, I wanna spam some websites. — TechLife, Apr 10 '15 at 09:49
@TechLife true! Seems to have moved to https://github.com/neuroradiology/InsideReCaptcha ? Reminder to self: always fork stuff. — Ciro Santilli OurBigBook.com, Apr 10 '15 at 10:13

score 209 · Answer 1 · answered Dec 04 '14 at 16:50

209

This is speculation, but based on Google's reference to the "risk analysis engine" they use (http://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-introducing-no-captcha.html)

I would assume it looks at how you behaved prior to clicking, how your cursor moved on its way to the check (organic path/acceleration), which part of the checkbox was clicked (random places, or dead on center every time), browser fingerprint, Google cookies & contents, click location history tied to your fingerprint or account if it detects one etc.

It's fairly difficult to fake "organic" behavior in such a way that it would fool a continuously learning pattern detection engine. In the cases where it's not sure, it still prompts you to match an actual CAPTCHA string.

answered Dec 04 '14 at 16:50

AgmLauncher

7,070
8
41
67

77

That seems right and should explain why I always have to type a string on my PSVita with the sticks. It doesn't move like a normal mouse. – Domino Mar 25 '15 at 00:10
1

Based on the fact that Google still makes you type do a visual CAPTCHA when you seem "suspicious", I guess this is just a way to make things easier on some people. Messing around with it, it doesn't have a great tolerance for "inorganic" behavior at all. My initial thought was that this would be terrible, since I presumed that "somewhat" organic behavior would be easy to fake, but it even makes me do the CAPTCHA sometimes. – fakedad Apr 06 '15 at 01:47
I think these are easier to fake than the old captcha. here is when random numbers come handy! – TechLife Apr 09 '15 at 20:59
3

I'm wondering how Google would react on a sufficient huge amount of recorded organic behaviour. – Markus Malkusch Apr 17 '15 at 15:21
16

Mouse movement definitely does not contribute to this. Place the cursor right on the spot where the checkbox would appear. Navigate to the site without moving your cursor. Click the checkbox and it will pass. – Derek 朕會功夫 Jun 12 '15 at 02:36
3

@Derek, I don't think that is proof of anything. Cookies, IP and many other factors might contribute to letting you pass before they fall back to mouse movement. I don't feel like testing it, but if you were to fire a fresh computer from a fresh IP and not use the mouse at all, I'm willing to bet it would fail. – Caimen Oct 01 '15 at 20:57
It may even be possible that they are keeping records of inorganic and even organic mouse movements and looking and checking for duplicate or similar mouse movements across different sites and sessions. It sounds exactly like something Google would do and similar tactics are used by other companies like Cloud Flare. Essentially Google could be using mouse movement almost as a fingerprint. If you think about this from Google's perspective, they might even be able to identify who you are by your mouse movements. Of course this is all speculation and I would love to be proved wrong. – Caimen Oct 01 '15 at 20:57
15

Note that you can also tab over to it and press space. – JSideris Dec 22 '15 at 12:37
2

Worth noting that reCaptcha always scrutinizes me a lot when I'm using Tor. – Captain Hypertext Mar 05 '16 at 03:11
use chrome plugin vimium shortcut to click the checkbox also pass. So not mouse movement. – Zieng Aug 09 '16 at 08:25
I noticed it changed to a traditional captcha (visually) when I was testing out a VPN app on iOS, so IP address may be one of the components as well. – silverliebt Nov 03 '16 at 00:21
Just a thought, I think it uses browser history too or just that, because if you open a captcha link using incognito, the it would ask you to go through Image validation before verifying you. @JacqueGoupil if possible try using using the browser on ur PSVista and try the captcha again? – kAnNaN Mar 08 '17 at 01:38
If we run nocaptcha in a sandboxed iframe... will it throw this detection off? – felickz May 25 '17 at 19:55
@kAnNaN If your browser exposed history to a web page that would be an extreme security flaw. Also, if this tracks mouse movements, it must send those mouse movements to the server somehow. If it uses local javascript to do it, then it's useless. If it constantly sends mouse movements then that feels strange – Cruncher Oct 05 '17 at 20:59
`how your cursor moved on its way to the check`. How can something operating in the browser know something like that? It would need access to the OS to find that out. – bsky Dec 22 '17 at 13:42
@octavian Browsers have `onmousemove` events. – mbomb007 Mar 06 '18 at 14:22
Pretty sure mouse movement is not a factor. My laptop is touchscreen and I use firefox ;) – pulsejet Apr 08 '18 at 06:24
1

I'm also pretty sure it's nothing to do with the mouse movement, try invoking the click event in console, something like `$('.recaptcha-checkbox-border').click()` like a robot would do and it will pass. – VahidNaderi Feb 13 '20 at 13:01

barbolo · Answer 2 · 2018-06-08T13:22:37.693

A new paper has been released with several tests against reCAPTCHA:

https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf

Some highlights:

By keeping a cookie active for +9 days (by browsing sites with Google resources), you can then pass reCAPTCHA by only clicking the checkbox;
There are no restrictions based on requests per IP;
The browser's user agent must be real, and Google run tests against your environment to ensure it matches the user agent;
Google tests if the browser can render a Canvas;
Screen resolution and mouse events don't affect the results;

Google has already fixed the cookie vulnerability and is probably restricting some behaviors based on IPs.

Another interesting finding is that Google runs a VM in JavaScript that obfuscates much of reCAPTCHA code and behavior. This VM is known as botguard and is used to protect other services besides reCAPTCHA:

https://github.com/neuroradiology/InsideReCaptcha

UPDATE 2017

A recent paper (from August) was published on WOOT 2017 achieving 85% accuracy in solving noCAPTCHA reCAPTCHA audio challenges:

http://uncaptcha.cs.umd.edu/papers/uncaptcha_woot17.pdf

UPDATE 2018

Google is introducing reCAPTCHA v3, which looks like a "human score prediction engine" that is calibrated per website. It can be installed into different pages of a website (working like a Google Analytics script) to help reCAPTCHA and the website owner to understand the behaviour of humans vs. bots before filling a reCAPTCHA.

https://www.google.com/recaptcha/intro/v3beta.html

`mouse events don't affect the results` That's interesting, as I (and I believe many others) had thought that was the main thing that affected results. I thought on mobile instead of the checkbox, users were asked to select all images that are alike instead, because there are not mouse movements on a touchscreen. However, looking at the introductory blog post again, it appears that might not be the case. Perhaps selecting images is instead of typing distorted text, not instead of checking a box. Do you (or anyone) know whether reCAPTCHA ever allows simply checking a box on mobile? — Nateowami, Dec 26 '16 at 16:00
Mouse events do affect the results. If you press `Tab` and `Enter` to select the checkbox, it will show the images captcha for you to select them based on a criterion. — mbomb007, Sep 11 '17 at 14:04
@mbomb007 Mouse events might affect the results but pressing `Tab` and `Enter` will not show the image captcha all the time. Most of the time pressing `Tab` and `Enter` is accepted — Manish Ojha, Mar 06 '18 at 07:09

Ingo · Answer 3 · 2016-05-13T22:27:31.223

28

My Bots are running well against ReCaptcha.

Here my Solution.

Let your Bot do this Steps:

First write a Human Mouse Move Function to move your Mouse like a B-Spline (Ask me for Source Code). This is the most important Point.

Also use for better results a VPN like https://www.purevpn.com

For every Recpatcha do these Steps:

If you use VPN switch IP first
Clear all Browser Cookies
Clear all Browser Cache
Set one of these Useragents by Random:

a. Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

b. Mozilla/5.0 (Windows NT 6.1; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0

5 Move your Mouse with the Human Mouse Move Funktion from a RandomPoint into the I am not a Robot Image every time with different 10x10 Randomrange

Then Click ever with random delay between

WM_LBUTTONDOWN

and

WM_LBUTTONUP
Take Screenshot from Image Captcha
Send Screenshot to

http://www.deathbycaptcha.com

or

https://2captcha.com

and let they solve.

After receiving click cooridinates from captcha solver use your Human Mouse move Funktion to move and Click Recaptcha Images
Use your Human Mouse Move Funktion to move and Click to the Recaptcha Verify Button

In 75% all trys Recaptcha will solved

Chears Google

Tom

edited May 13 '16 at 22:27

answered May 13 '16 at 22:21

Ingo

5,239
1
30
24

2

Why do you need the "Human Mouse Move Function"? It looks unnecessary to accomplish your goal. – barbolo May 20 '16 at 13:29
11

'Human Mouse Move' Function is the most important Point. Google detects inside the captcha Mousespeed, MouseWay, MouseButton down and up Events, Clickpositions, Mouse EntryPoint into the captcha, ... and send this informations via Javascript to Google Database with many millions of real Human Mousemove Trackings. After interpreting all this captured Informations the Captcha will marked als solved, only if the google algorithm says it was a human. – Ingo May 21 '16 at 09:32
1

There's no evidence about mouse events being used by reCAPTCHA to generate CAPTCHAs or to validate answers. So this looks terribly wrong for me. – barbolo May 22 '16 at 12:45
1

@ barbolo: You really think, when your Bot everytime click e.g. at x=1 and y=1 Position in the right squares you solve one ReCaptcha?????? – Ingo May 24 '16 at 23:58
4

@ barbolo: Please Check this official Google Blog https://security.googleblog.com/2014/12/are-you-robot-introducing-no-captcha.html -> Google says "To counter this, last year we developed an Advanced Risk Analysis backend for reCAPTCHA that actively considers a user’s entire engagement with the CAPTCHA—before, during, and after—to determine whether that user is a human. " – Ingo May 25 '16 at 00:10
1

@ barbolo: You understand? Google considers a user’s entire engagement with the CAPTCHA—before, during, and after! And with what you handle the actions with the Captcha? With your mouse!!!! – Ingo May 25 '16 at 00:18
1

@ Ingo My bot always click at the same position and solves the reCAPTCHAs correctly. – barbolo May 25 '16 at 11:18
1

@ Ingo Your quote from Google doesn't say they are considering mouse events. You and many other people imagined that mouse events represent the key engagement factor they are looking at, which may or may not be true. According to my tests, they ignore mouse events. – barbolo May 25 '16 at 11:26
@ barbolo: Your Bot clicks in the center of the Squares und all your Captchas are really solved??????? Without any Mouse Move???? – Ingo May 25 '16 at 22:07
1

This week I've run some tests in a recent reCAPTCHA version that seems to take mouse events into account. Are your bots still working properly? – barbolo Jun 24 '16 at 19:23
Yes, my Bots already solve ReCaptchas. I use my Human Mouse Move function. – Ingo Jul 10 '16 at 08:15
1

Does your mouse move function emits javascript events? – barbolo Jul 10 '16 at 17:26
@Ingo by the way, I've asked a question about the B-spline-like movements - please feel free to share your solution there. Thanks! – alecxe Sep 10 '16 at 04:12
@barbolo: > emits javascript events -> no, the function is sending a x,y pos mouse route – Ingo Sep 18 '16 at 23:52
@alecxe : >> please feel free to share your B-spline Mouse movement function. Not at the moment ;-) Its to much know how inside ;-) – Ingo Sep 18 '16 at 23:55
8

Step 8 uses an external API where **humans solve the captcha for you.** The bot is not solving anything. – Andrea Lazzarotto Jul 21 '17 at 23:47
19

Is it just me, or is it both disturbing and fascinating to anyone else that bot writers are using Stack Overflow to help solve (and debate about!) reCAPTCHAs? – Ogre Psalm33 Nov 22 '17 at 20:16
1

@Ingo, can I please have the code for `First write a Human Mouse Move Function to move your Mouse like a B-Spline (Ask me for Source Code)` ? My email is nino.skopac@gmail.com – The Onin Feb 04 '19 at 19:08

score 3 · Answer 4 · edited Nov 16 '15 at 00:41

3

May I present my guess, since this is not a open technology.

Google says it's about combing information from before, during, after to distinguish human from robot. But I am more interested about that final click on the check box.

Say, the POST data (solved CAPTCHA) has a field called fingerprint, a string calculated from user behavior. I think there may be a field about that check box location. I guess this check box is in a coordinate system randomly generated by Google back-end and encrypted by the public key of my site. So, a robot may "guess/calculate" a location about this box, but when site owner makes the GET query with private key to verify user identity, Google will decrypt the coordinate system and say if the user click on the right place. So, only one possible right click(with some offsets, it's a square box) location in this random coordinate system owned by only Google and site owners.

edited Nov 16 '15 at 00:41

4ae1e1

7,228
8
44
77

answered Jan 03 '15 at 04:26

hakunami

2,351
4
31
50

If the browser is good enough to actually show the box and detect clicks, then why would a hacking robot not be able to do the same? I could however set the position of the checkbox to a very precise position (in decimals) so if a click is detected with the same decimals, it means it's a robot who didn't bother adding random decimals to the click position. But again, that's not foolproof. – Domino Mar 25 '15 at 00:14
Google is supposedly using a 'learning' algorithm so that if some clients with the same characteristics seem to tact the same general path and general time to get there and it's happened 100,000 times a day, they're probably not legit. – Allison Mar 26 '15 at 03:51
1

It should be relatively easy to simulate clicking in the square area. Doesn't matter how google encrypts the data before sending. – Eugene C Jul 14 '15 at 18:39

Ingo · Answer 5 · 2019-11-29T00:17:35.417

1

Please remember that Google also use reCaptcha together with

Canvas fingerprinting

to uniquely recognize User/Browsers without cookies!

edited Nov 29 '19 at 00:17

answered Oct 28 '19 at 13:28

Ingo

5,239
1
30
24

How does Google reCAPTCHA v2 work behind the scenes?

5 Answers5

Linked

Related