UnCAPTCHA: Use Google services to bypass Google reCAPTCHA. Getting rid of annoying captcha on VKontakte How to bypass captcha using sql injection

Captcha technology (CAPTCHA) is an automated test designed to identify machine users, aka bots.

His goal is to pose a problem that can be easily solved by a human, but difficult for a computer.

But there are also situations when a seemingly useful script becomes too intrusive.

There is an assumption that Google is training the AI ​​of its drones, thanks to users entering captcha with pictures I am not a robot.

How to remove captcha I'm not a robot

The reasons for this behavior may vary, but you can always try to fix everything - we carry out actions as exceptions occur:

  • Disconnect and reconnect the active Internet connection. Reboot the router or modem. Therefore, the IP address may change.
  • We resort to using a VPN service. The latter are available for both paid and free use. They are provided in the form of extensions (add-ons) for browsers and as separately installed software on a computer.
  • We look through and installed extensions. For example, the latest version of Yandex.Browser itself disables plugins from unverified sources and periodically checks those already installed for fakes.
  • Check if JavaScript is enabled in the web browser: Settings → Show additional settings→ personal data block Content settings → JavaScript section.
  • Let's not forget about antivirus programs– perhaps the computer has become a victim of a botnet, hence the dissatisfaction with the CAPTCHA for traffic generated at this address.

Interestingly, hundreds of millions of captchas are entered by Internet users every day. It is no secret that not everyone manages to enter it correctly the first time.

A CAPTCHA requiring you to prove that “I’m not a robot” appears on everything more sites and services, and annoys users. There are several reasons why sites mistake visitors for bots and require verification characters to be entered. Is it possible to get rid of the repeated check, what needs to be changed in the browser settings and the page on VKontakte, how to bypass the captcha using VPN services?

What is captcha?

CAPTCHA is an automated public Turing test. It allows you to identify a bot among website visitors. A mechanism for protecting web services from spam was developed in 2000 by a team at Carnegie Mellon University. The idea of ​​the test is that the proposed task is easy to perform by people, but inaccessible to machines.

Most often, users need to enter characters from a picture. They are depicted with noise, or are translucent, so that the machine cannot recognize them. Initially, the system worked well, reduced the load on sites, and freed them from fake comments.

Seven years after the creation of the Turing test, a modification appeared - reCAPTCHA. People were asked to recognize words from scanned editions of The New York Times. Spam protection simultaneously helped to digitize the publication.

But computers became more powerful and became capable of recognizing characters. Therefore, other options appeared: searching for cats, road signs in pictures, or checking the box next to the phrase “I’m not a robot.”

A test that was useful for website administration began to irritate users. Sometimes you have to enter the captcha several times to see a certain page. A separate problem is the captcha on VKontakte.


There are several reasons why a user has to constantly prove that he is not a robot. Even if a person does not spam, but simply leaves comments or communicates on social networks, he may be haunted by entering characters.

Suspicious traffic from the computer. Browser extensions or viruses on the user's device can become part of a bot network. For this, reCAPTCHA blocks his IP address.

Bad Company. Providers allocate one real IP for a group of subscribers. Therefore, if one of them is a bot, he is blocked, and the entire group is blacklisted.

Disabling JavaScript on your smartphone. The reCAPTCHA mechanism is the JavaScript code on the site. The codes are used not only by services, but also by scammers, which is why JavaScript is disabled in browsers on smartphones for security. This causes reCAPTCHA to malfunction.

How to get rid of captcha

Changing settings

Users Google Chrome can get rid of annoying protection by disabling a number of extensions. AdBlock ad blocking extension or plugin RDS Bar often lead to captchas.

Another option for computers is to reconnect to the Internet. After rebooting the modem or router, the user can get a new external address and get rid of the annoying check.

iPhone owners can open the “Add-ons” tab in the Safari settings and enable JavaScript. For Android users on Chrome, you need to click on the three dot menu, go to Settings, open Site Settings and also enable JavaScript. Another option for mobile phones is to briefly turn on airplane mode, after which the smartphone will be re-registered on the network and will be able to receive an untainted IP.

You can get rid of the VKontakte captcha in a few minutes. In the page settings, go to the “Security” section, click on “Show activity history”. A pop-up window will show the history of visits to the site and the IP from which you logged in.

If there is an address in the list that differs from the user's address, you need to click "End all sessions." And then change the password. In addition, captcha appears less frequently if the page is linked to a phone number.

Special services

If you are too lazy to enter a captcha even occasionally, other users will do it for a fee. Specialized web services will charge you approximately 40 rubles for solving thousands of pictures. The user will receive a special key that allows him to forget about the annoying test.

Dynamic IP

If tinkering with the settings doesn’t help, you’ll have to use VPN services. Large companies provide this service for a fee. But there is also free services with a good interface and easy to use. For example, the CyberGhost VPN () program.

The service works with all popular browsers and is perfectly protected thanks to the OpenVPN protocol with 256-bit AES encryption. Free to run on one device only. The user will have access to 37 servers in 12 countries, works without interruption for about three hours, after which he must connect again and continue working.

Instructions for correctly recognizing captchas on the website service

ReCaptcha V2 New
Very popular lately, it consists of 9 mini-pictures, from which you need to select 2-4 given pictures. Which pictures you need to choose are indicated either by a sample picture or by text. In response to such a captcha, you need to enter the numbers of the pictures that you want to select. Numbers are entered without spaces or commas. If there are no numbers on the pictures themselves, then they are counted from left to right, top to bottom. Like this:
1 2 3
4 5 6
7 8 9

captcha correct
answer		 description
13 on the right is a sample, cabbage. In pictures numbered 1 and 3 we see cabbage. In response to the captcha we write 13
58 On the right is a plate of spaghetti. This picture corresponds to pictures numbered 5 and 8. In picture number 3 there is the same pasta, but ravioli, not spaghetti.
239 There is no sample, only text that says which pictures you need to choose. The pictures themselves are not numbered, so we use the instructions above to understand which picture corresponds to the correct number
45 At first you might think that the correct answer is 47. But in picture 7 there is not a sign, but just a sign. And only the 4th picture remains. But there must be at least 2 suitable images. We take a closer look and see in the 5th image a sign photographed from the reverse side. correct answer 45
159
456 Instructions only for English language, but there is a picture on the left explaining that you need to choose road signs.
18 The example shown shows eggs. They are the same in pictures 1 and 8, although they have already been cleaned and cut. The correct answer is 18
25 The example shown is a pie. In pictures 2 and 5 we see pies and answer 25.
12 The webmaster who sent the captcha numbered the images according to his own principle. IN in this example we use its numbering and indicate that you need to select 1 and 2 images
356 This webmaster numbers the pictures in the correct order, but he started numbering not from one but from zero.

ReCaptcha v2 with road signs and street signs

We will pay special attention to captchas that depict road signs or street signs. A street sign is not a road sign.

captcha correct
answer		 description
1239 Street name = street signs
Streets are always written in white on a green background in one line. Image 7 shows a road sign.
1348 It's simple here
78

Street signs = road signs

Everything is simple in this captcha
278 In image #7, the sign is not on a pole, like regular signs, but on a bump stop. However, this is a road sign.
36 A bus stop sign is also a road sign.
1248 Be careful, this captcha asks us to indicate street signs.
2479 Image #1 shows a sign, not a street name.
1236 Image #5 shows a sign, not a street name. In image No. 2 the street name is not visible, but you can guess that it is there.

SolveMedia
This captcha contains standard small phrases in English, which helps you enter them faster and learn English.

captcha correct
answer		 description
video tape simple captcha, entered without problems
what if? Please note - punctuation marks must also be entered
When, where? Both a comma and a question mark must be included in the answer.

i like people In the word LIKE, the first letter is difficult to make out, but if you look at the entire phrase, it is easy to understand what the letter is.
I like people - I love people

rooftop You might think that the first letter in this captcha is P and two sticks are simply stuck to it. But the word POOFTOP does not exist, and ROOFTOP is something that is installed on the roof. After all, few people know all these words, it is very easy to make a mistake.

first post! The first letter is hidden, but looking at the whole word, you can guess what FIRST is written there
But sometimes you come across ones that you can’t make out at all. In this case, you need to click “I can’t make it out”

Other types of captchas

captcha correct
answer		 description

Today many sites use captcha for protection from spam. Don’t forget also about captchas, which are displayed when sending messages or commenting on your friends’ posts on social networks.

The problem is that the use of such protection is popular: this is an interesting example of plagiarism in the online space. But there is good news: there are ways to bypass the captcha.

What kind of captcha is there?

A typical captcha involves entering garbled characters. There are also other types of captchas.

These include:

  • a combination of letters and numbers in the code, both Russian and English;
  • an arithmetic operation, most often elementary, but sometimes quite complex. Usually complex captchas are placed on serious resources.
  • Pictures. Everything is simple here, in front of you is a picture in the wrong location. By pressing the button, you set it to the correct position.
  • pictures in which you need to highlight a certain group of objects based on one common characteristic.

The more complex the captcha, the better protected the site or other resource. You can bypass the captcha: we’ll look at how exactly now.

How to bypass captcha on a website?

It is unlikely that you will be able to avoid the appearance of a captcha, but it is quite possible to make sure that you do not have to enter it.
To do this, you just need to download a program that will decipher the codes for you, register there and start using them.

Exist different types of programs- for manual and automatic recognition captcha. The most popular are Rucaptcha and Antigate. They are not free, but the price of captcha recognition is quite small - from 18 rubles per 1000 entries on Rucaptcha and from $0.7 per 1000 images on Antigate. For the average user, this package will last a long time.

Programs for automatic captcha recognition are more expensive. For example, the cheapest CapMonster 2 package costs $37. But such programs are not designed for the average user, but for those who actively mail to many addresses, because they are capable of recognizing several million captchas a day.
When the program is installed and put into operation, you will no longer be required to prove that you are not a robot - the program will recognize the captcha.
We must pay tribute to the developers - such programs greatly simplify our lives. On the other hand, it is obvious that captcha will not save you from real robots, but it may well fray the nerves of ordinary Internet users.
Watch the video - How to enable captcha recognition via antigate, rucaptcha, captcha24, captchabot on DelphiXE5

Anticaptcha manual recognition service Real people work on captcha recognition, so the service can handle everything that a person can recognize:

text captchas, graphic captchas: ReCaptcha V2, KeyCaptcha, FunCaptcha, etc.

Register>>>

How to bypass captcha using dynamic IP address

There is another effective way to get rid of captcha - order a dynamic IP address. This service is usually paid, and its cost depends on the provider’s prices. After this, set the fastest automatic address change in the settings (for example, every second).

This method is guaranteed to save you from the annoying captcha - which means you won’t need to sigh irritably every time the program decides to check your humanity.

If captcha appears too often, you need to find out why this is happening? It makes sense for Google Chrome users to check extensions. For example, if you disable the ad-blocking extension AdBlock or the RDS bar plugin, then most likely the captcha will no longer appear.

How to make money on captchas

If you are not at all annoyed by entering captcha, then you can also make money on this. To do this, you need to find a service where you want to work as a “captcha typist” and go through the registration process on the site. Immediately after this you can start working. The more captchas you complete, the more money you will receive. It's hard to think of an easier way to make money online. On Rucaptcha, the rate ranges from 1 to 10 kopecks for recognizing one image.

Earn money 💰 online by entering captcha All you need is to correctly enter the text from the image (captcha).

You get money 💵 for every captcha you enter.

Register>>>

If you are interested in the topic of making money on the Internet, here you will find all the latest information 50 the best ways make money online

  • manual CAPTCHA hacking (a hacker studies a specific implementation of a captcha and selects ways to break it);
  • the use of special programs (robots), with the help of which mass automated attacks are organized on several sites simultaneously (usually developed on the same platform or having the same captchas, to which hackers managed to find the “keys”);
  • exploitation of the labor of real people.

The motives of attackers when cracking a captcha can be very different, ranging from banal envy and revenge, to spreading spam and gaining control over the entire resource using SQL injections and other mechanisms.

As a rule, all mass captcha bypasses begin with manual hacking. This usually happens on demand or out of scientific interest, and such attacks are aimed at specific CAPTCHA implementations.

And then they are put on stream, i.e. are organized automatically using robot programs (bots).

Well, in cases where it is not possible to avoid a captcha programmatically, the CAPTCHA is entered manually using the labor of real people who send this data to the attacker or solve the captcha in real time thanks to the API.

So, we figured out the tools and motives of hackers. Let's now look at the most common methods of bypassing CAPTCHA, sorting them into two groups: those that are possible due to programmer errors when implementing CAPTCHA and those for which modern technologies are used.

Let's start in order, and I will try to place them in order of increasing complexity of protection against them, starting with the most primitive and ending with those for which methods of protection have not yet been invented.

To create intrigue, I will say that there are this moment there are three.

Bypassing captcha due to implementation errors

If you ask the creators of their own CAPTCHA implementations about how to bypass the captcha, they will tell you at least several ways. But the most interesting thing is that they themselves sometimes leave windows and doors in their creations for hacking.

This often happens due to the fault of the human factor, or rather ordinary inattention during development and lack of thoroughness when testing the security of captchas.

But sometimes there is also inexperience, due to which the programmer simply was not aware of some methods of bypassing captcha at the time of development.

As I promised, in this section I will look at the most common ones, as well as ways to protect against them. And let's start, as promised, with the most primitive thing.

Bypass captcha with fixed dial tasks

At the dawn of captchas, self-written captchas were very popular as a means of fighting bots, because everyone wanted to try the new technology, and as a result, captchas were invented by everyone who was not too lazy.

In the case of using self-written captchas, in the implementation of which the developers decided not to bother with a large database of pictures, questions or other types of tasks, for a targeted automatic attack on a site with such a CAPTCHA, you just need to find out the answers manually.

Those. we go to such a site, select answers, compile a database of tasks and correct solutions, and write a bot for brute force attacks that will select suitable options.

But, fortunately, such situations in modern world You won’t be able to meet many, because... cybersecurity has since reached a very respectable level and no one is creating such primitives.

And if there are such people, then they very quickly learn from their mistakes when they lose control of their site or clients who were hacked because of such creations.

Protection: never create captchas with a set of tasks, solutions to which can be selected manually. If to solve a captcha you need to solve a mathematical example or enter characters from a picture, then tasks and answers to them should be generated automatically.

Another way to protect against such automatic captcha entry is to change the name of the form field in which the answer should be entered. If the field name, for example, is always “captcha,” then it will be easier for an attacker to crack such a captcha. Its robot program will only send a request to the server script specified in HTML attribute“action” of the form containing the required captcha value.

If in this situation the name of the captcha field is the same all the time, then the hacker will simply use the database of the most common names of captcha fields, which you can compile yourself while studying various sites or download ready-made on specialized resources (I will not list them to promote hacking).

If the field name, like the captcha task itself, is generated on the server, then no captcha name database will help. In order to use a dynamic field name, in practice the captcha is generated by one script and processed by another.

In this case, the implementation of captcha has one significant nuance: the script that processes the correctness of its entry will need to somehow pass the name of the captcha field. This is most often done using hidden input forms, data attributes or transmitting them via cookies or session.

The key point is that you cannot pass the name directly, i.e. the captcha field is called “captcha_mysite”, and the hidden field contains the value “captcha_mysite” or “site”. It must be encrypted, and decryption must occur using the same algorithm as encryption.

Since the encryption algorithm will be stored on the server, an attacker will not be able to easily recognize it (unless he gains access to the contents of the server script).

By the way, it is enough to use a random sequence of characters instead of the field name, which in PHP language very easy to get using the uniqid() function.

Bypass captcha using sessions

If the implementation of a captcha involves storing the correct answer in a session, and the session is not created anew after each captcha is entered, then attackers can find out the session identifier and find out the encrypted value of the CAPTCHA.

Thus, they can easily select an encryption algorithm and use it for further automated brute force attacks using bots.

Also, if in the code for checking the user's response on the server the programmer does not check for emptiness of the session variable in which the user's response is transmitted, then the hacker can use a non-existent session identifier for which the variable simply will not exist.

Due to this omission, such captchas can be solved by inserting non-existent session ids and empty captcha values.

Protection: no matter how much you would like to give up using sessions to transfer captcha values, this is very high price to ensure the security of the captcha from hacking. Therefore, sessions, the values ​​of their variables and identifiers simply need to be carefully protected so that a hacker cannot use the information stored in them.

It is also worth performing all the banal, but so necessary checks of variables for the existence and emptiness of their values.

Cracking a captcha due to secret information in the client code

Sometimes captchas are made in such a way that when transferring user values ​​to the server, encryption is used using the so-called “salt”, i.e. adding a session ID, IP value or other unique data to the CAPTCHA value. Often this can be a simple random sequence of symbols.

And the main condition for solving a captcha is that the encrypted CAPTCHA value entered by the user matches its correct value, which was generated when the page was opened and recorded in a session or other storage for further transmission to the server.

The coincidence of these values ​​will most likely indicate that the user is a real man, who entered a captcha generated during a communication session, at the end of which he solved it and from the same computer on which he first saw the captcha.

If these unique values will not match, then, most likely, the captcha was entered automatically by the robot.

This mechanism for protecting the site from bots is well thought out, but sometimes these secret generated values ​​are present in the HTML code of the page, from where they can be easily read. Therefore, you can configure their automatic reading using programs and the same automatic entry when passing a captcha.

Protection: When implementing a CAPTCHA on your own, you need to take this security hole into account, and if to solve a captcha you need to take into account the value of some unique identifier, then you need to make sure that it is not mentioned either in the JS or in the HTML code that can be viewed in the browser.

You also need to recreate the session ID and generate other unique values ​​(including the CAPTCHA itself, if possible) after each attempt to enter the captcha, which will save you or at least make it more difficult for hackers to hack the site by automatically selecting the correct value.

Another means of protection is, if possible, to block actions by IP and number of attempts.

How to bypass captcha without changing IP

Brute force attack is effective way bypassing captcha not only in cases of its implementation with a fixed set of tasks and their solutions.

Another mistake in the implementation of CAPTCHA, which makes it vulnerable to automated attacks, is the lack of time limits for solving a captcha and the number of attempts.

In this case, you can bypass the captcha using special program, which will collect a database of questions or select answers from the existing list. Moreover, all this will be done in automatic mode thanks to modern methods machine learning and developments in the field of artificial intelligence, which have made a big step forward in recent years.

Protection: When implementing a truly secure captcha, you need to limit the time to answer and the number of attempts to solve the captcha from one IP to block brute-force attacks by robots.

For example, if less than 2 seconds passed between the generation of a captcha and the user’s answer, then consider such a user a robot and display a corresponding message on the screen. The text of the message should contain instructions to real users that the input should not be done so quickly (in case the person was physically able to enter the answer faster).

If it was really a person, then he will take appropriate measures, and if it is a robot, he will continue to attempt to bypass the captcha.

Such attempts should be considered incorrect, with their number recorded in the session variable and further actions blocked for users by their IP. It would also be a good idea for such blocked addresses to issue a message to contact the administrator instead of a captcha if the blocked user was a real person.

And another effective way to combat bots is to introduce limits on certain actions on the site. For example, one registration from one IP. The main thing here is not to overplay and not reach the limits on the number of comments for one unique user.

But, in truth, these measures will not help much thanks to the existence of proxy servers.

Bypassing captcha using a proxy

Even in situations where blocking of a large number of attempts to solve a captcha by IP still occurs, this measure does not provide 100% protection from robots.

It's all because of proxy servers and anonymizer programs that work on their basis, which are known, perhaps, to every modern schoolchild who is looking for ways to bypass parental controls and blocking of prohibited sites.

Anonymizers allow you to hide computer data when using the site, including the treasured IP address, by which the client can be identified and blocked.

The scheme is simple: the user connects to a proxy server, where his data is encrypted or replaced with others (for example, you may be assigned an IP address from another country), and then a request is made to the target site to which the client wants to connect.

Thus, an attacker can easily bypass all your IP blocks and will select the correct solution to the captcha for as long as he needs.

And on some sites where the captcha appears only when performing a large number of identical actions (for example, in VK when adding a large number of friends), it may not appear at all if each action is performed from a new IP and with timeouts between attempts to solve the captcha, so that the bot’s behavior is similar to the behavior of a real person.

This method was used half a century ago when writing the first programs to pass the Turing test, the implementation of which is CAPTCHA.

The described principles, by the way, are used by all currently known programs for automatically entering captcha. To change the IP address of connecting to a site, they use free and commercial databases of proxy servers, which are not difficult to obtain if you have the Internet.

Protection: Unfortunately, you can protect yourself from captcha hacking by tracking attackers by IP, thanks to the presence of anonymizers and open bases PROXY will not succeed.

The only hope is that the PROXY servers themselves can impose restrictions on the number of IPs used by one user and the number of connections from each of them.

For this reason, you should not abandon IP verification altogether. Thanks to your precautions that protect against captcha bypass, you will be able to block the hacker at one level or another sooner or later.

And the most correct conclusion in this situation would be to use, in addition to this method of protection against captcha hacking, others that help expose the hacker in another way.

Entering captcha automatically using action emulators

If to complete a CAPTCHA you need to perform a certain action (clicking on a button, moving a slider, etc.), then you can also bypass the captcha in this situation by simulating the necessary action (click on specific element control or other action).

The only problem that a hacker may face in this situation is how to find the desired control on the site programmatically.

The easiest way to do this is by its coordinates or position relative to some static elements of the resource.

Protection: To protect yourself from automatic captcha entry in this case, you must constantly change the position of the control element that allows you to solve the CAPTCHA. Those. If out of three people you need to choose only the one whose hand is raised, in no case should he be placed constantly in the same place.

Well, in cases of other captcha implementations, when this is not possible (for example, for a download button or the “I am not a robot” field, which can only have one correct answer), it is necessary to use other protection methods that can stop robots from automatically solving the captcha.

How to bypass captcha using high technology

We have looked at the weak points of CAPTCHA implementations, which are security holes and are the most common in practice. However, in practice, even the most impeccable captchas are sometimes unable to protect the resource that uses them from hacker attacks.

These cases of captcha hacking are a direct consequence of modern progress and the level of development of computer technology, which, as we know, is not always used for good purposes.

So, how to avoid captcha using modern technology?

Bypass captcha using OCR

OCR (Optical Character Recognition) is a technology for recognizing printed or typewritten text for its further use in electronic format. The most well-known software that implements this technology is Adobe FineReader.

It is successfully used in creating automatic captcha entry programs that successfully recognize and solve graphic captchas, to complete which you need to enter the sequence of characters shown in the picture.

Hackers, of course, do not use Adobe FineReader (although there may be some 🙂), but write special scripts that, using various ready-made libraries for working with images or using the capabilities of the language for working with graphics, recognize captcha and produce a character sequence, depicted on it.

I found a sufficient number of examples of such scripts on the Internet. The principle of their work was as follows:

  • cleaning the image used in graphic CAPTCHAs from various noises;
  • splitting the displayed string into individual characters;
  • comparison of each of them with a prepared picture (sample).

Graphic samples were prepared taking into account different fonts and possible distortions (tilts, rotations, etc.).

As you may have guessed, the most important thing is to compile a database of symbol images in various variations, with which captcha symbols will then be compared.

Protection: in fact, in order to confuse OCR programs, annoying noises and distortions of characters in pictures are used, because of which the text is sometimes difficult to understand even for a person. But, in the case of robots, this also works well, as a result of which OCR algorithms cannot produce a 100% accurate result, which has a positive effect on the security of captcha and the sites that use it.

If you decide to use graphic captchas, for which you need to enter the characters shown in the picture, then you need to follow the following recommendations:

  1. Symbols on different CAPTCHAs must have different coordinates.
  2. If you use any noise effects to create a background, then its color must match the color of the characters, otherwise the background can be easily removed by highlighting the characters for recognition.
  3. The distance between characters should be minimal. You can even overlay them on top of each other, but only without fanaticism, so that real users can recognize them.
  4. Use different fonts to make it difficult to choose the right one for recognition.
  5. Distort characters in every possible way, change their style and thickness.
  6. Use special libraries that allow you to change characters in such a way that it will be impossible to select a font for their software recognition. An example of such a solution is a captcha from the creator of the resource captcha.ru, which is generated using the author’s wave-like symbol distortion algorithm.

All these measures make it possible to complicate the recognition of graphic captcha for OCR systems and reduce the number of automatic captcha entries.

How to pass a captcha using neural networks

If OCR is a fairly old technology (the first patented devices were known at the beginning of the 20th century), then artificial neural networks (ANNs) appeared only in the second half of the previous century (50 years is a significant age for technologies :)).

It is ANN algorithms that underlie artificial intelligence (AI), the goal of which is to create programs and devices endowed with creative functions, i.e. creation of man-made man.

At the moment, AI is constantly developing, and every day new inventions appear that have previously unseen properties.

At the last conference on neural networks that I attended, it was reported that Google, which is actively involved in developments in this area, has already announced publicly available cloud services, working on the basis of ANN.

Using them you can:

  • recognize objects in photographs (from the gender of the person depicted and the brand of his jeans to what game the analyzed picture belongs to, with its entire color palette, the name of the location and what is happening in it);
  • control devices with voice and gestures;
  • write annotations for videos based on what happens in the video, etc.

Naturally, with these capabilities, creating a program for automatically entering captcha using ANN principles is not difficult for knowledgeable people.

One such product was developed by Vicarious in 2014. The neural network she developed is capable of recognizing captchas in 90% of cases (let me remind you that to solve the classic Turing test, which is CAPTCHA, only 1% of correct answers are needed).

Protection: Unfortunately, it is impossible to protect against this type of attack. And fortunately, ANN from Vicarious will not be used for targeted attacks to bypass captcha on websites, because... it is too expensive for such small tasks (the manufacturers themselves say that it is a cluster of many servers). Its main area of ​​application is solving various problems in medicine and robotics.

And cracking captcha with its help is just a demonstration of its capabilities.

But time passes, technologies that were expensive just yesterday are becoming cheaper, and the time is not far off when ANN products will become widespread. Therefore, it is quite possible that in the future there will be bots for automatically entering captchas, equipped with artificial intelligence.

Bypass captcha using public services

As OCR and AI systems developed, the complexity of graphical captchas became more and more complex, which allowed their developers to make enormous efforts during implementation. But they still turned out to be futile, because... they did not provide 100% protection for sites against automated attacks.

Therefore, Google took, as it seems to me, the right path and decided to simply invent new standard noCAPTCHA, eliminating the need to manually enter characters from pictures.

When developing reCAPTCHA noCAPTCHA, we used the experience of fighting robots in the era of the birth of captcha and modern developments in the field of artificial intelligence, which allows us to ensure the proper level of site security, but also not to make life too difficult for Internet users.

But despite the fact that this standard appeared quite recently, in 2015, a way to automatically solve it has already been found. And it does not lie in the use of artificial intelligence.

Everything is much more banal - to pass Google reCAPTCHA, you just need to use Google’s own image and speech recognition services.

Image recognition in the case of reCAPTCHA v2 (the same noCAPTCHA) is unlikely to help, because for graphical tasks, you need to select images that contain the necessary objects, and not enter the depicted symbols, as was the case in the previous version.

But the services of the Google Speech Recognition service, which is one of Google’s achievements in the field of artificial intelligence, which was mentioned in the previous method of bypassing captcha, will be very useful. Since the service provides an API, creating an application based on it is not difficult.

Protection: Unfortunately, in this situation, as in the previous one, where ANNs were used to bypass the captcha, it will not be possible to protect against captcha bypass. The only positive point again is the relative availability of suitable services, because... Google only gives you a $300 trial to use them.

After their completion, the services become paid. But this is unlikely to be a hindrance for hackers, because... They can earn even more from attacks that use automatic captcha entry.

So, in the case of using speech and image recognition services to crack captcha, the only hope remains is the vigilance of their administration, which can block the account if it discovers that it is being used exclusively for the described purposes.

How to pass a captcha using human labor

To complete the list of ways to bypass captcha, I decided to consider one that does not fit into any of the categories listed above.

It is not based on exploiting the vulnerabilities of CAPTCHA implementations and the use of modern technologies, but is based on the natural human desire to make money.

And at the same time, this method helps to crack a captcha of any complexity in 100% of cases and, moreover, to do this without much financial, physical and moral effort.

We are talking about one of the modern methods money extraction - which, by the way, appeared around the time when CAPTCHA became difficult to recognize programmatically.

Its essence is that a special service is being created that supposedly allows people to earn money (mostly small ones, which may be enough only for Indians or schoolchildren who are looking for any way to get money) by manually solving captchas.

And anyone who needs their solutions can provide these captchas.

Basically, these are hackers who use the answers of real users for their own selfish purposes:

  • automation of earnings;
  • sending spam;
  • buying tickets and goods in online stores for more expensive resale;
  • website hacking, etc.

To make the process more convenient, the services even provide an API, thanks to which the captcha can be completed online. Those. the user enters a captcha through the service, and at this time his answer is used to confirm the online purchase.

Many programming experts, by the way, can use human labor absolutely free. For example, this is how owners of porn sites, file sharing services, torrents and other dubious resources that provide free services earn their living.

They supposedly provide users with valuable content for free, requiring us to confirm that you are a person and not a robot, with the help of which attackers use their products for their own purposes.

Naturally, we don’t think for a long time, because... getting the opportunity to download a long-awaited movie in HD quality absolutely free of charge by checking some box in the “I’m not a robot” box is just a trifle. Meanwhile, your API action is used to bypass captcha on another third-party site.

Hence the moral: always remember that free cheese is only in a mousetrap and nothing is free.

Protection: unfortunately, today this is the most effective method bypass captcha, against which there is no means of protection. And it won’t be until those who want to earn pennies through hard labor and amateurs are gone free content, i.e., most likely - never.

Bypassing captcha - conclusions

While writing this article, I came to the conclusion that captcha, despite the excellent idea with which it was conceived, namely, protecting sites from robots, has long ceased to fulfill its functions.

If you can still protect yourself from automated captcha bypasses that use weak points in CAPTCHA implementations by eliminating all problems with their security, then it is simply impossible to protect yourself from entering captchas by real users for money.

The only saving grace in this whole situation is that they pay ridiculous amounts of money for this kind of work and few people agree to do it, so the scale of cyber attacks using automatic captcha entry is not as catastrophic as it could be.

Also, “invincible” methods of bypassing captcha include artificial intelligence technologies, which have been actively developing in recent years.

At the same time, in order to make life more difficult for hackers, captchas are constantly “inflated” with new functionality, which makes completing them a difficult and tedious task even for real site users.

Remember the same Google reCAPTCHA: check the box, if Google didn’t like something, select the necessary pictures (by the way, I still have problems with road signs, because I can complete such a task somewhere with 5 attempts). Is it a lot of hassle to leave a comment or register on the site? It’s easier to find another resource...

But, despite these precautions, captcha currently cannot be called an ideal way to protect against robots, for which many people criticize it and are trying to look for alternatives.

At the same time, the fact that CAPTCHA continues to be used as a cybersecurity technology and is constantly being developed, including by Google, which will not invest money in dubious projects, suggests that this technology will exist for a long time.

Therefore, when developing and supporting existing sites that use captcha, it is necessary to actively use the recommendations outlined in order to make life as difficult as possible for hackers to hack their software.

And don’t forget to share your thoughts about existing methods bypass captchas and measures to protect against them in the comments under the article :)

P.S.: if you need a website or need to make changes to an existing one, but there is no time or desire for this, I can offer my services.

More than 5 years of experience professional website development. Work with PHP, OpenCart, WordPress, Laravel, Yii, MySQL, PostgreSQL, JavaScript, React, Angular and other web development technologies.

Experience in developing projects at various levels: landing pages, corporate websites, Online stores, CRM, portals. Including support and development HighLoad projects. Send your applications by email [email protected].