DAILY NEWS

Stay Ahead, Stay Informed – Every Day

Advertisement

Google Tests Hand Gesture Verification CAPTCHA That Uses Webcam Biometrics, Already Bypassed With Stock Photos



Google is exploring a new verification method for reCAPTCHA called hand gesture verification (HGV), according to Google Cloud documentation.The system uses access to the user’s webcam to record a video of their hand. It prompts users to wave or perform other gestures at the camera so that Google can analyze the video and extract biometric data points to verify that the user is not a bot.Early testing indicates that HGV can be bypassed using stock photos combined with OBS Studio’s virtual camera feature.The documentation states that HGV records one or more video clips through the device’s webcam. These videos are processed to identify the hand gesture and are then deleted. The system does not record any audio.How Google’s Hand Gesture Verification WorksThe verification process asks users to give webcam access. Once permission is granted, users perform a hand gesture in front of the camera, such as a wave. Google’s system then analyzes the video, extracts biometric data points, and sends a verification result to the website via reCAPTCHA.According to Google’s documentation, videos are recorded only to recognize the hand gesture, are deleted shortly after verification, and are not linked to a user’s identity.In addition, no audio is recorded during this process:
Users testing HGV have confirmed that the challenge can be bypassed without needing a physical hand or real webcam.
The workaround involves using a stock photo of a hand making the necessary gesture, combined with OBS Studio’s virtual camera feature, which presents the image to websites as if it were a live webcam feed.
An attacker can simulate the hand gesture with the stock image while OBS routes the image through the virtual camera. The reCAPTCHA system accepts this as a valid gesture.Reports suggest that the bypass can be automated with stock images and Python scripting, allowing bot operators to circumvent HGV at scale.Why Webcam-Based CAPTCHA Raises Privacy ConcernsThe requirement for HGV to access webcams has raised concerns among users about how biometric data is managed.These worries include the idea that continuous webcam access could become a normal part of browsing, the lack of independent verification of Google’s claim that videos are deleted after processing, and the potential for data retention policies to change in the future through updates to Google Cloud’s backend systems.There is also uncertainty about whether biometric data points extracted from videos are stored separately from the videos themselves. Google’s cloud platform has retained data in its backend systems even when users have had no direct access to it.This was shown in a recent case where a deleted Nest video was recovered for a high-profile investigation. Users concerned about biometric surveillance may reasonably question whether HGV’s stated deletion policy is consistently applied across all of Google’s infrastructure.For users dealing with HGV in reCAPTCHA challenges, here are some practical steps to consider:
Deny webcam access if the challenge appears on a website where webcam use isn’t appropriate for verification.
Explore alternative ways to verify your identity, such as switching to a different browser session or contacting site support if the challenge blocks legitimate access.
It’s a good idea to regularly review your browser permissions in Chrome, Firefox, Edge, or Safari settings to revoke webcam access from sites that no longer need it.
Also, consider whether the website’s service justifies granting biometric verification.
Users who are concerned about how biometric data is handled should know that HGV is still in testing and isn’t yet the standard type of reCAPTCHA challenge used on most websites.Most sites that use reCAPTCHA still rely on traditional image and text-based CAPTCHAs.What Users And Website Operators Should KnowFor site operators considering HGV as a reCAPTCHA option, the bypass demonstrations show that the challenge currently provides only limited extra protection against automated attacks. The virtual camera bypass is easy to reproduce and doesn’t require advanced tools.Google’s separate efforts with Cloudflare, Chrome, Edge, and Firefox involve Private Access Control Tokens. These offer a different approach to distinguish legitimate traffic from unwanted activity, without relying on biometric verification. Those assessing anti-bot measures may want to consider this method alongside or instead of HGV.HGV is available on Google Cloud but has not yet become the default reCAPTCHA challenge on most websites. Google has not provided a timeline for a broader rollout or committed to making HGV the standard reCAPTCHA setup.The company has also not responded to reports of bypass methods or announced solutions to prevent verification using stock photos via virtual cameras. Users can stay updated by monitoring Google Cloud’s reCAPTCHA documentation and release notes.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *