How We’re Tricking Google reCAPTCHA to Get Unlimited One-clicks!

by: Cassie
March 29, 2019

Google reCAPTCHA

Since its introduction in 2014, there have been various attempts to break the Google reCAPTCHA v2 featuring image verification. However, no one was really able to trick Google’s systems so far and reach a bypass method to quickly and effectively solve hundreds of Google reCAPTCHAs. In the least amount of time & with minimal human effort and intervention.

Background

The first innovative solution to Google reCAPTCHA was having someone from a third world country remotely solve it for you and send you the token using APIs and systems designed for that purpose like 2captcha. It- is, to date, a widely used solution but it does not offer the desired speed and it costs a few bucks!

The next attempt was introduced in a publication by Columbia University in NYC talking about how they were able to trick Google reCAPTCHA into giving them higher chances for one-clicks and how they were able to achieve 70%+ accuracy in solving a great number of reCAPTCHA challenges. This publication is the primary inspiration behind the commonly used techniques in major bots; Google account powered one-click CAPTCHAS!

For a brief moment in 2017 we had a fast-rising contestant in breaking the Google reCAPTCHA called unCAPTCHA by the University of Maryland. They claimed to be able to achieve around 90% accuracy by exploiting the audio version of Google’s reCAPTCHA using a free, publicly available speech to text API. This method was reported to Google & is no longer a valid solution because Google reCAPTCHA system now can easily detect that you are automating that process after you solve 1 or 2 CAPTCHAS using this method from the same IP Address.

How Google reCAPTCHA works

Google recaptcha 1

An awesome dig into how Google reCAPTCHA system works is this open-source GitHub repository introduced about 4 years ago.

Using the reverse engineering work done on that repository, in addition to some investigation and work from our side, we were able to break down how Google reCAPTCHA works:

  1. Once a client requests to load a CAPTCHA, a unique JavaScript code will be sent to that client which has unique encryption keys. Google also registers the CAPTCHA request in its servers creating a unique encrypted communication stream.
  2. Once the user clicks on the checkbox, a request is sent to Google’s servers that contains encrypted user information, mouse movements, browser environment variables, and more. Google’s servers decrypt that information & replies with the type of challenge it needs the client to solve based on its risk analysis algorithms. The challenge can be an image challenge, a multi-image challenge, or a nocaptcha. A nocaptcha challenge indicates that the client has properly passed the risk analysis and gives the user what we call a one-click!
  3. The client loads the challenge it receives from Google & once solved it sends a request with the encrypted solution to Google for verification.
  4. Once verified, Google will reply with a token that can be used to bypass a particular CAPTCHA-protected step in a web site or web service!

Captcha

How we Tricked Google Servers to Get UNLIMITED ONE-CLICKS

Based on the above info, we were able to come up with a solution to trick Google’s systems to get unlimited one-click CAPTCHAs! Our method does not even need a “good” Gmail account. in fact, you don’t even need to be logged in to Gmail!

What we basically do is that we intercept the request in step 2 above and change the parameter that specifies the challenge type and set it to nocaptcha! This will force the client to give a one-click! Everything else will be the same so the solution will be properly generated and encrypted using the correct keys/algorithms to be sent and verified by Google!

How Is This Even Possible!?

Even the greatest of systems can have the small loopholes that defeat their whole purpose. We have learned to thoroughly identify and make use of those flaws. Since it is the unique JavaScript code with the unique encryption key that is generating the solution, Google cannot spot the difference and will think that a challenge was actually solved! You don’t have to log in to a Google account because no matter how good or bad your risk analysis score was, we are forcing a one-click by tampering the response from Google’s servers! Imagine, infinite super fast ONE-CLICKS on infinite solvers!

Why are we going public with this

This security vulnerability in Google reCAPTCA is not a small-scale bypass that we found in some other site. This is a serious breakthrough that no one was able to achieve before. And this has a MAJOR effect on the internet altogether! What comes with it is not just unlimited botting, but also unlimited SPAM & other possible online harm that we do not support or condone. We are going public with this in an attempt to help it reach the developers behind Google reCAPTCHA for a fix. We will also disclose a report to Google linking to this article in efforts to assist them to patch this major exploit. In the meantime, we are happy to share this with our competitors in the market so that they can also take advantage of it during the short period of time we have left until Google takes notice.

When will users get it?

We are finalizing a few things and we expect the UNLIMITED ONE-CLICKS CAPTCHA feature to be pushed in a patch around next week!