Google's new hand-wave reCAPTCHA can be bypassed with a stock photo

Google is testing a new reCAPTCHA method that asks you to wave at your camera to prove you're human. So, besides solving puzzles and reading distorted text, you can now use your computer’s camera to pass the verification test.

When the hand gesture verification is triggered, your browser asks for camera access and prompts you to perform a simple gesture, like a wave or an open palm. Google says it records a short video of the movement and uses AI to extract 21 hand-knuckle coordinates to complete the verification process. The video is then immediately deleted, and Google swears it doesn't keep it.

The process alone can be uncomfortable for people who wouldn’t want their biometric data, which hand scans technically qualify as, recorded. But it gets even more nuanced, as early testers discovered that the new hand-waving reCAPTCHA can be passed with a simple stock image.

A user on X tested the new challenge using a stock image of a hand fed through OBS Virtual Camera, and it passed. I wanted to verify it, so I tried the same thing. It took me a few tries and a few stock images, but in the end, I was also able to pass the test. I simply had to readjust the stock image of a generic person waving inside OBS, and Google’s mechanism registered it as a legitimate hand gesture.

Once again, it didn’t even have to be a video or an AI-generated hand animation. Given the simplicity of the process, the entire action can be automated in minutes. All it takes is a simple Python script to render the new reCAPTCHA method obsolete. And it doesn’t even have to be an AI bot, which is usually used for solving puzzles and other verification methods.

The new reCAPTCHA method is still in its early phase, and Google will, hopefully, update its AI to at least reject still images. However, this incident, combined with users’ initial skepticism about Google’s practices regarding user data, likely won’t make too many people wave at the camera anytime soon.