Google’s new reCAPTCHA experiment was supposed to make life harder for bots by asking people to wave at their webcam or show an open palm. Instead, the Google hand-gesture CAPTCHA was beaten with a stock photo and a virtual camera trick, which is a fairly awkward way for a security test to open its short career.

The feature, called Hand Gesture Verification, was introduced in mid-June as a camera-based alternative to the usual traffic lights and blurry text. Google says the short clip is analyzed by AI, the recording is not stored, and it is deleted immediately after verification. That pitch sounds modern and privacy-friendly, but it also assumes the system can tell the difference between a real hand and a flat image pretending to be one.

How Google’s hand-gesture CAPTCHA works

Instead of clicking squares, users are asked to grant camera access and perform the gesture shown on screen. The idea is simple: make the challenge easier for humans and harder for automation. That is the same general direction the industry has been taking for years, because classic CAPTCHAs have become increasingly easy for bots and increasingly annoying for people.

But any system that relies on webcam input now has to deal with software that can fake webcam input. That is the part Google seems to have underestimated, or at least not closed off tightly enough.

A stock image was enough

A user on X showed the challenge being fed a stock image of a person with a raised hand through OBS Virtual Camera, a tool that can present any picture or video as a live camera feed. On the second attempt, the site let him through. A journalist at Neowin reproduced the test as well, needing several tries and a few different stock photos, plus some repositioning in the frame, before Google accepted the still image as a live gesture.

That is the uncomfortable punchline: the first widely discussed test of Google’s next-generation CAPTCHA appears to be vulnerable to the oldest trick in the computer-security playbook, namely ”show the system exactly what it wants to see.” If a static photo can pass after a bit of nudging, attackers do not exactly need to sharpen their tools much.

What this means for CAPTCHA in 2026

Google is not alone in trying to move away from image grids and text puzzles. The broader shift is toward behavior checks, device signals, and short-lived visual challenges, because the old forms are easy to outsource to humans or solve with automation. The problem is that the more human the check looks, the more it starts to depend on fragile assumptions about cameras, lighting, and whatever software is sitting between the browser and the hardware.

For now, the lesson is blunt: a CAPTCHA designed to spot a hand gesture still needs to know what a hand gesture actually is. Google may tighten the rules before the test spreads further, but if this is the first public demonstration, bot operators have already been handed a roadmap. The next move will probably be some mix of stricter liveness detection and more aggressive device checks, because a waving hand that turns out to be a JPEG is not much of a moat.

Source: Kod

Leave a comment

Your email address will not be published. Required fields are marked *