Google tests hand gesture verification CAPTCHA that uses webcam biometrics, already omitted with stock photos


Google is exploring a new verification method for reCAPTCHA called hand gesture verification (HGV), according to Google Cloud documentation.

The system uses access to the user’s webcam to record a video of their hand. Ask users to wave or make other gestures toward the camera so Google can analyze the video and extract biometric data points to verify that the user is not a bot.

Early tests indicate that heavy vehicles can be avoided by using stock photos combined with OBS Studio’s virtual camera feature.

The documentation indicates that HGV records one or more video clips through the device’s webcam. These videos are processed to identify the hand gesture and then deleted. The system does not record any audio.

How Google Hand Gesture Verification Works

The verification process asks users to provide access to the webcam. Once permission is granted, users perform a hand gesture in front of the camera, like a hand gesture. Google’s system then analyzes the video, extracts biometric data points, and sends a verification result to the website via reCAPTCHA.

According to Google documentation, the videos are recorded only for hand gesture recognition, are deleted shortly after verification, and are not linked to the user’s identity.

Additionally, no audio is recorded during this process:

  • Users testing heavy vehicles have confirmed that the challenge can be overcome without the need for a physical hand or a real webcam.
  • The solution is to use a stock photo of a hand making the necessary gesture, combined with OBS Studio’s virtual camera feature, which presents the image to websites as if it were a live webcam feed.

An attacker can simulate the hand gesture with the stock image while OBS directs the image through the virtual camera. The reCAPTCHA system accepts this as a valid gesture.

Reports suggest that bypassing can be automated with stock images and Python scripts, allowing bot operators to bypass heavy vehicles at scale.

Why webcam-based CAPTCHA raises privacy concerns

The requirement for heavy vehicles to access webcams has raised concerns among users about how biometric data is managed.

These concerns include the idea that continued webcam access could become a normal part of browsing, the lack of independent verification of Google’s claim that videos are deleted after processing, and the possibility that data retention policies could change in the future through updates to Google Cloud’s backend systems.

There is also uncertainty over whether biometric data points extracted from videos are stored separately from the videos themselves. Google’s cloud platform has retained data in its backend systems even when users have not had direct access to it.

This was demonstrated in a recent case where a deleted Nest video was recovered for a high-profile investigation. Users concerned about biometric surveillance may reasonably question whether HGV’s stated deletion policy is applied consistently across Google’s infrastructure.

For users taking on heavy vehicles in reCAPTCHA challenges, here are some practical steps to consider:

  1. Deny webcam access if the challenge appears on a website where webcam use is not appropriate for verification.
  2. Explore alternative ways to verify your identity, such as switching to a different browser session or contacting site support if the challenge blocks legitimate access.
  3. It’s a good idea to periodically review your browser permissions in Chrome, Firefox, Edge, or Safari settings to revoke webcam access from sites that no longer need it.
  4. Additionally, consider whether the website service justifies granting biometric verification.

Users who are concerned about how biometric data is handled should know that HGV is still in testing and is not yet the standard type of reCAPTCHA challenge used on most websites.

Most sites that use reCAPTCHA still rely on traditional image- and text-based CAPTCHAs.

What website users and operators should know

For site operators considering HGV as a reCAPTCHA option, bypass demos show that the challenge currently provides only limited additional protection against automated attacks. The virtual camera bypass is easy to reproduce and requires no advanced tools.

Google’s separate efforts with Cloudflare, Chrome, Edge, and Firefox involve private access control tokens. These offer a different approach to distinguishing legitimate traffic from unwanted activity, without relying on biometric verification. Those evaluating anti-bot measures may want to consider this method alongside or instead of HGV.

HGV is available on Google Cloud, but has not yet become the default reCAPTCHA challenge on most websites. Google has not provided a timeline for a broader rollout or committed to making HGV the standard reCAPTCHA setting.

The company has also not responded to reports of circumvention methods or announced solutions to bypass verification using stock photos via virtual cameras. Users can stay up to date by monitoring the Google Cloud reCAPTCHA documentation and release notes.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *