Early this month on 3rd, Google have announced its new bot-detecting Captcha form called No Captcha reCaptchas. This is awesome and great technique that was introduced in place of old Captcha which was text and number based. The company said the new, simple interface is more secure than the old Captcha because it analyzes user behavior to determine whether they are a person or a bot.
Shield Square asserts that Google’s reliance on cookies creates a problem. For bots to pass the reCaptcha, all they have to do is store the relevant cookies for the website they’re looking to access. Alternatively, bots could use an optical character recognition tool to solve the puzzle in the first place, allowing continued access to the site.
“Bots simply need to get the JS code of challenge, show it to another human being,” he writes, “and use the answer that human provided.”Another bad thing with the No Captcha is that researchers have found a security vulnerability on it. Utilizing clickjacking (wherein an attacker creates transparent layers on top of a website, so that when a user clicks, it reroutes them to another site) bots can get real humans to take the reCaptcha test for them. Homakov confirms that currently Google have patched the vulnerability