reCaptcha

Foundation

reCaptcha company has been aquired by Google and today it is not an open source project, so Google is not charing information how the Callenge algorithm work, which parameters are monitored on the user side and how the reCaptcha API Script is interacting with Google Back-End.

Captcha means: A CAPTCHA ( for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge–response test used in computing to determine whether or not the user is human.

"No Captcha re-captcha" was proposed by Google in 2014

Some relevant materials found to better understand reCaptcha:

• Official Site of Google: https://www.google.com/recaptcha/about/

• The original author article of 2008 on science Mage: https://www.site.uottawa.ca/~stan/csi2911/reCaptcha_Science.pdf

• Understanding reCaptcha good article: https://www.blackhat.com/docs/asia-16/materials/asia-16-Sivakorn-Im-Not-a-Human-Breaking-the-Google-reCAPTCHA-wp.pdf

• https://www.youtube.com/watch?v=8iMU9HbJ7Wo

ReCaptcha is driven by an “advanced risk analysis system” that evaluates requests and selects the difficulty of the captcha that will be returned. Users may be required to click in a checkbox, or solve a challenge by identifying images with similar content.

How does it work?

• The user visits a Web Page and click on the reCaptcha button, saying I'm not a Robot.

• When clicking on that buton this will trigger a Javascript from Google that will collect user information and browser information and send it to Google Back-end that will analyse it to see if i'm a Robot (so Google perfom an advanced risk analysis).

  • If google think I'm a human, then they will say ok

  • If not, they will send a captcha that I need to solve (like image)

  • Then I solve it (you have maxi 55 sec to solve that challenge, being it image or text captcha) and send a reponse to Google Back-end

  • If good, Google back-end will send back a Reponse

• Then FE app, send the Captcha user Token to back-end App that will request Google Service to validate that captcha that will give an answer on how confident (score) the user is not a Robot

Analysis of the Google Advanced Risk Analysis System:

• the Google Widget is highly obfuscating the javascript that is encrypted

• What checks google do?

  • Check the browser environment

  • Check cookies (any request to google.com sent over HTTP(s) include google cookie that is collecting on user side information (so user tracking, user history), even if you are not logged on google

  • Mouse Mouvement (not found that it matter)

A Captcha algorithm is consider broken if there is an automation algorithm that can solve it at least 1% of the time