The iframe bug in No CAPTCHA was fixed long time ago, and now reCAPTCHA 2.0 is pretty secure and widespread. Bypassing it also got a lot harder, now it requires many solutions in a row, making bruteforce infeasible.

But following neat trick will always be working even though it was shown 3 years ago.

Before visiting reCAPTCHA-protected victim page, we get victim’s SITEKEY (client side API key for reCAPTCHA) and get challenges on our own. With bunch of prepared “solutions” (g-recaptcha-response values) that are good for ~130 seconds, it’s much easier to:

  • run a bot/script/parser/poster, and not mess with a headless browser like PhantomJS

  • test a race condition for reCAPTCHA-protected endpoint

  • buy high-demand tickets (like Burning Man or Machu Picchu) the second after they become available

PrepCAPTCHA is centralized Sinatra-based in-memory queue of valid reCAPTCHA solutions. Solving and using are now two separate processes:

1) Solvers need to run JS snippet in console of the victim’s website (don’t forget to set correct SITEKEY). Solutions are added to PrepCAPTCHA queue.

2) When your script stumbles upon a reCAPTCHA, it makes a GET request to PrepCAPTCHA.host/?sitekey=CURRENT_SITEKEY to get a valid g-recaptcha-response.

P.S. for large volumes consider making an extension or hacking existing one to abuse real users’ cookies and get g-recaptcha-response-s on demand w/o any “solving” (1 click experience).

Apr 16, 2016 • Egor Homakov (@homakov)

Subscribe to our blog via Twitter @SakurityNetwork, RSS or Email