New hCaptcha bypass method may not affect Cloudflare’s security

New hCaptcha bypass method

In March 2021, researchers at the University of Louisiana at Lafayette presented a paper on a new hCaptcha bypass method that replaced reCAPTCHA in Cloudflare and Google last year. Experts have developed an attack that uses browser automation tools, image recognition, image classifiers, and machine learning algorithms to download hCaptcha tasks, recognize image content, classify images, and then solve problems.

Moreover, unlike other attacks on various CAPTCHA systems, this method does not require much computing power: the researchers’ equipment consisted of a simple Docker container running Ubuntu, with a tri-core processor and 2 GB of memory.

Researchers write that their attack works with an accuracy of 95.93%, and on average it takes only 18.76 seconds to crack hCaptcha. Moreover, the attack could have worked even faster if the researchers replaced their own image classifier with services such as Google Cloud Vision, Amazon Rekognition and Microsoft Azure Cognitive Vision.

New hCaptcha bypass method

The authors of the report warned that the method they developed could help attackers bypass hCaptcha on live sites and carry out automated attacks, including posting spam on forums, scraping content, and so on.

The Record turned to Cloudflare for comment as the University of Louisiana’s findings alarmed many site owners. The company said that “hCaptcha is just one of various methods Cloudflare uses to detect and potentially block automated traffic.” Cloudflare claims that they have additional systems to detect automated attacks, and there is no need to worry about a new attack method.

The developers of hCaptcha, in turn, reported that they have already implemented in their CAPTCHA methods proposed by experts to mitigate the consequences of such attacks. However, hCaptcha acknowledged that the free version does not prevent all types of automated attacks, but solely due to some design decisions.

Our system shouldn’t merge real-time detections. Unlike reCAPTCHA, where you can just log in and get the bot’s stamp, which makes it trivial to hack. This limits the functionality of the free version [researchers] tested, which is designed in such a way as not to completely prevent all detected automation from working if it gives the correct answers. Instead, one of the tools that hCaptcha relies on frequent change of the classes and types of tasks. Moreover, it also has protection to avoid leakage. Thus, after reviewing the document, we told them that in fact, the anti-leakage protection worked as intended.hCaptcha developers say.

Let me remind you that I wrote that Hackers force users to solve CAPTCHA.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *