Witty users defeat Google's hi-tech CAPTCHA with this low-tech hack

Security researchers claim to have already found a loophole in Google's experimental hand gesture CAPTCHA system. According to a video shared on X, the human verification system can be tricked using nothing more than a photograph of a hand.
-
Researchers bypass Google’s gesture-based CAPTCHA using a simple hand photograph, exposing a security flaw.
-
The system uses webcam video and hand-joint tracking to verify humans; Google claims data is deleted after verification.
-
The finding highlights an ongoing CAPTCHA arms race as AI bots improve, pushing new verification methods.
-
It raises reliability and privacy concerns, prompting efforts like Mozilla’s push for privacy-preserving human verification alternatives.
The reported bypass shifts attention away from the privacy debate surrounding Google's camera-based CAPTCHA to a more fundamental question: Can the system reliably tell a live human from a convincing fake?
Researchers demonstrated that the hand gesture challenge, which asks users to perform simple movements in front of a webcam, can be satisfied using static photographs of people performing the requested hand gesture.
Google introduced the gesture-based verification as part of Google Cloud Fraud Defense, replacing traditional image-selection CAPTCHAs with a system that analyzes short webcam videos and extracts 21 hand-joint positions to verify that the user is human.
According to the search giant, the videos are processed only for verification, aren't linked to users' identities, don't record audio, and are deleted immediately after the challenge is completed.
The CAPTCHA arms race continues
The reported bypass underscores the challenges facing Google and the wider cybersecurity industry as AI-powered bots become increasingly capable of defeating traditional verification methods.
For years, websites relied on distorted text, image puzzles, and Google's familiar "I'm not a robot" checkbox to separate humans from automated traffic. But thanks to the advances in machine learning and generative AI, the effectiveness of these challenges has declined dramatically. This has companies like Google scampering to experiment with increasingly sophisticated forms of verification.
Last year, the company introduced adaptive, risk-based challenges that appear only when a visitor or action is deemed suspicious. It allowed websites to apply stricter verification to high-value actions such as account creation or checkout while minimizing friction for legitimate users.
More recently, it introduced QR code-based reCAPTCHA, which asks users to scan a code using a compatible Android or iPhone. The feature was intended to make automated abuse more difficult, but it also drew criticism from privacy advocates after GrapheneOS warned that it could lock out users of de-Googled Android devices.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
Google isn't the only company looking beyond traditional CAPTCHAs. Just last week, Mozilla proposed a broader industry effort to develop a privacy-preserving alternative. The proposal aims to reduce bot abuse without requiring users to surrender additional personal information.
If the reported bypass withstands wider scrutiny, Google's latest experiment may become another reminder that there is still no perfect way to answer one of the internet's oldest questions: Is there really a human on the other side of the screen?
Unlock more exclusive Cybernews content on YouTube.