Google is testing a webcam CAPTCHA that scans your hand, but it's already been bypassed using a photo
Google is testing a webcam CAPTCHA that scans your hand, but it's already been bypassed using a photo
Google is working on a new kind of challenge to improve its reCAPTCHA system, using biometric identification to confirm that the user is indeed human. The new method is officially named "hand gesture verification" (HGV), and, according to early testing, is mostly useless. Even worse, HGV might pose a significant privacy risk.
The system works by prompting the user to hold their hand up to their webcam and perform a specific gesture, such as showing a certain number of fingers or making a peace sign. Google claims this approach is more user-friendly than traditional CAPTCHAs that require typing distorted text or identifying traffic lights in a grid of photos.
Early testing reveals major flaws
Security researchers have already demonstrated a simple bypass. By holding a printed photograph of a hand in front of the webcam, they were able to trick the system into granting access. The method requires no special equipment or technical expertise.
Key findings from the testing include:
- A standard color printout of a hand successfully passed the verification in multiple attempts.
- The system does not appear to check for depth, movement, or skin texture.
- No liveness detection is implemented to distinguish a real hand from a static image.
Privacy concerns
Beyond the security flaws, the system raises significant privacy issues. Users must enable their webcam and share biometric data - specifically, images of their hand - with Google's servers. This data could potentially be used for:
- Creating a biometric profile linked to the user's Google account
- Tracking users across different websites that implement the CAPTCHA
- Storing hand geometry data for future identification purposes
The Electronic Frontier Foundation (EFF) has already voiced concerns, stating that "biometric CAPTCHAs represent a dangerous expansion of surveillance infrastructure under the guise of security."
Current status
Google has not officially announced a public rollout of HGV. The feature is currently in limited testing on a small number of sites. Given the demonstrated bypass and the privacy backlash, it remains unclear whether Google will proceed with the system or return to the drawing board.
Comments
No comments yet. Start the discussion.