Witty users defeat Google's hi-tech CAPTCHA with this low-tech hack


Security researchers claim to have already found a loophole in Google's experimental hand gesture CAPTCHA system. According to a video shared on X, the human verification system can be tricked using nothing more than a photograph of a hand.

Key takeaways:

The reported bypass shifts attention away from the privacy debate surrounding Google's camera-based CAPTCHA to a more fundamental question: Can the system reliably tell a live human from a convincing fake?

ADVERTISEMENT

Researchers demonstrated that the hand gesture challenge, which asks users to perform simple movements in front of a webcam, can be satisfied using static photographs of people performing the requested hand gesture.

Google introduced the gesture-based verification as part of Google Cloud Fraud Defense, replacing traditional image-selection CAPTCHAs with a system that analyzes short webcam videos and extracts 21 hand-joint positions to verify that the user is human.

According to the search giant, the videos are processed only for verification, aren't linked to users' identities, don't record audio, and are deleted immediately after the challenge is completed.

The CAPTCHA arms race continues

The reported bypass underscores the challenges facing Google and the wider cybersecurity industry as AI-powered bots become increasingly capable of defeating traditional verification methods.

For years, websites relied on distorted text, image puzzles, and Google's familiar "I'm not a robot" checkbox to separate humans from automated traffic. But thanks to the advances in machine learning and generative AI, the effectiveness of these challenges has declined dramatically. This has companies like Google scampering to experiment with increasingly sophisticated forms of verification.

Typical visual CAPTCHA test on a screen
Image by Shutterstock

Last year, the company introduced adaptive, risk-based challenges that appear only when a visitor or action is deemed suspicious. It allowed websites to apply stricter verification to high-value actions such as account creation or checkout while minimizing friction for legitimate users.

ADVERTISEMENT

More recently, it introduced QR code-based reCAPTCHA, which asks users to scan a code using a compatible Android or iPhone. The feature was intended to make automated abuse more difficult, but it also drew criticism from privacy advocates after GrapheneOS warned that it could lock out users of de-Googled Android devices.

Google isn't the only company looking beyond traditional CAPTCHAs. Just last week, Mozilla proposed a broader industry effort to develop a privacy-preserving alternative. The proposal aims to reduce bot abuse without requiring users to surrender additional personal information.

If the reported bypass withstands wider scrutiny, Google's latest experiment may become another reminder that there is still no perfect way to answer one of the internet's oldest questions: Is there really a human on the other side of the screen?


Unlock more exclusive Cybernews content on YouTube.