Home Carbon Ads How does Google’s No CAPTCHA reCAPTCHA work?

How does Google’s No CAPTCHA reCAPTCHA work?

recaptcha

Many websites have started integrating Google’s new No Captcha reCaptcha. It has a better anti-bot protection and user experience.

Most don’t know how it actually works. In this article I will explain various techniques used by Google to detect bots.

Is is a check box?

Google asks users to click the check box to verify that they are not bot. Even a bot can click a check box so how does it protect? Well its not actually a check box its a div inside a iframe.

Screen Shot 2014-12-04 at 7.46.52 pm

It actually create a virtual checkbox inside the iframe and user clicks the virtual check box. Google also inserts a invisible textarea inside the form. Google populates the textarea with a unique value indicating weather the user is a bot or not. We will see how it finds bot or not later on in this article.

Text inside the textarea is a unique value, true and false indicating human or bot is stored in Google servers. We need to retrieve the boolean using this unique value once form is submitted. And than act accordingly.

Why can’t bots emulate mouse click?

Most bots don’t run JavaScript therefore they won’t see the reCaptcha and therefore no textarea is embedded. We can detect this server side and find its bot or not by checking if textarea is present or not while submitting the form.

There are some bots who run JavaScript code. But they will not click on virtual checkbox because its not a checkbox for them its just a graphics.

If you design a bot specific for a website then obviously that bot can emulate a mouse click. Emulating a mouse click is not enough to bypass this security. There are a lots of other things that Google considers.

Factors on which Google depends to detect bots?

Clicking on the virtual checkbox is not the only factor. Google also relies pattern of movements of mouse that differences humans and bots. It looks for overall user engagement with the captcha. It also uses user time on page algorithms, bots IP addresses database, HTTP referer, number of requests etc. We still don’t know all the methods used by Google to detect bots.

Google’s new reCaptcha also uses algorithms of Google Analytic’s and Google Adsense to detect bots. Google Analytics detection methods prevent bots from increasing page views and Google Adsense algorithms prevent fraud clicks on ads.

What if its unsure?

Sometimes Google is unsure weather its a bot or human submitting the form. In that case it asks the user to validate the old style captcha in desktop and image clue style for mobile phones.

On Desktop

Screen Shot 2014-12-04 at 7.53.04 pm

On Phones

turkey_captcha

Once it displays this extra validation step it also starts a form expiration timer. This is done to prevent bots from solving captcha’s.

Screen Shot 2014-12-04 at 8.00.31 pm

Should you replace reCaptcha with No Captcha reCaptcha

According to Google this new model provides the higher level of protection than the old model. This new model has a better user experience then the old one. Therefore you should replace old one with the new one.

Narayan Prusty
Google's No CAPTCHA reCAPTCHA PHP Code ExampleEncrypting Local Data In Intel XDK
Comments: 3
  1. 3 years ago

    haha
    and in facebook feed
    https://www.facebook.com/nplusone/posts/1768678996786173

    ReplyCancel
  2. GreLI
    3 years ago

    Actually, it’s a total bullshit. In practice Google accepts you if and only if you Google tracking cookies. Just try to open it in Incognito mode or with anti-tracking extensions like Ghostery and you’ll be treated as bot.

    ReplyCancel
    • 0000
      2 years ago

      you can actually but you’ll solve a lot those captcha images..

      ReplyCancel

Leave a Reply

To create code blocks or other preformatted text, indent by four spaces:

    This will be displayed in a monospaced font. The first four
    spaces will be stripped off, but all other whitespace
    will be preserved.
    
    Markdown is turned off in code blocks:
     [This is not a link](http://example.com)

To create not a block, but an inline code span, use backticks:

Here is some inline `code`.

Narayan Prusty

I am a full-stack web developer. I specialize in Blockchain and JavaScript. This is my personal blog where I write about programming and technologies that I learn and feel interesting to share.

Image5 years ago 8 Comments Web Development, Web Security
Share this
Related Articles