Cloudflare is nixing Google’s reCAPTCHA tool and replacing it with what the network services company’s CEO calls “a better CAPTCHA” service, hCaptcha. Google’s reCAPTCHA is a type of CAPTCHA (an acronym for “Completely Automated Public Turing Test to Tell Computers and Humans Apart”) that uses prompts to decipher humans from potentially malicious machines or bots. Cloudflare said the main driver for the swap was that Google is now charging for use of its reCAPTCHA tool – but customer privacy and availability were other factors. A Google spokesperson clarified to Threatpost that there is [no charge for this service](<https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-recaptcha>) for under a 1M queries/month limit. “We’re excited about this change because it helps address a privacy concern inherent to relying on a Google service that we’ve had for some time and also gives us more flexibility to customize the CAPTCHAs we show,” said Cloudflare CEO Matthew Prince, along with product manager Sergi Isasi, in a [Wednesday post](<https://blog.cloudflare.com/moving-from-recaptcha-to-hcaptcha/>). [!(https://media.threatpost.com/wp-content/uploads/sites/103/2019/02/19151457/subscribe2.jpg)](<https://threatpost.com/newsletter-sign/>) ReCAPTCHA started as a research project out of Carnegie Mellon University in 2007, and was later acquired by Google in 2009. Fast forward to today, [Google’s reCAPTCHA service](<https://threatpost.com/google-updates-recaptcha-no-more-boxes-to-check/138669/>) (v3) is utilized by over [1.5 million websites](<https://trends.builtwith.com/widgets/reCAPTCHA-v3>) for rooting out bots. Cloudflare is one of those customers, utilizing Google’s reCAPTCHA service since “its earliest days.” “When we were looking for a CAPTCHA for Cloudflare, we chose reCAPTCHA because it was effective, could scale, and was offered for free — which was important since so many of Cloudflare’s customers use our free service,” said Prince. [![Google reCAPTCHA](https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/09133805/image3-4-300x157.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/04/09133805/image3-4.png>) Google initially provided reCAPTCHA for free in exchange for data from the service, which was used to train its visual identification systems. But according to Prince, earlier this year Google said they plan to start charging for reCAPTCHA use. According to The Register, [Google said](<https://www.theregister.co.uk/2020/04/09/cloudflare_dumps_recaptcha/>) there’s no charge for reCAPTCHA unless customers exceed one million queries per month (or 1,000 API calls per second). While “it makes perfect sense for Google to ask for payment for the service they provide,” Prince said, “In our case, that would have added millions of dollars in annual costs just to continue to use reCAPTCHA for our free users. That was finally enough of an impetus for us to look for a better alternative.” Another driving factor for the switch is privacy and availability, Prince said. Because the service was initially offered for free in exchange for data, Cloudflare customers expressed concerns over the years about Google’s business targeting them with ads (although Google has said in the past that its reCAPTCHA service [is not used for ad targeting](<https://www.businessinsider.com/google-no-captcha-adtruth-privacy-research-2015-2>)). In addition, Google’s services are blocked in some regions, including China (which accounts for 25 percent of all Internet users) – meaning that Google’s reCAPTCHA service was not available to Cloudflare customers. “Over the years, the privacy and blocking concerns were enough to cause us to think about switching from reCAPTCHA,” said Prince. “But, like most technology companies, it was difficult to prioritize removing something that was largely working instead of brand new features and functionality for our customers.” After evaluating a number of CAPTCHA vendors (and even pondering building their own system), Cloudflare chose hCaptcha as an alternative to reCAPTCHA. hCaptcha, a service from AI and machine learning company Intuition Machines Inc., bills itself as a free, “a drop-in replacement for reCAPTCHA: you can switch within minutes” [on its website](<https://www.hcaptcha.com>). The standard hCaptcha business model is similar to the two-pronged model that reCAPTCHA first used when it began: hCaptcha charges customers that need image classification data, and on the other end pays publishers to install their CAPTCHA on their sites. However, because of Cloudflare’s massive scale, the company will be paying Intuition Machines Inc. (instead of being paid by the company) to use hCaptcha with a bigger amount of resources and more scalable infrastructure. While Cloudflare will be paying hCaptcha, the costs will still be “a fraction” of the price of Google’s reCAPTCHA. On the privacy front, Prince contends hCaptcha doesn’t sell personal data, and only collects “minimum necessary personal data.” He also cited hCaptcha’s performance and expanded availability (to regions where Google was blocked) as other reasons why it was a good alternative to reCAPTCHA. CAPTCHAs have long been used by websites and services to root out bots – but security researchers have expressed security concerns over the years about their abilities to bypass CAPTCHA systems. Researchers have proved [time](<https://threatpost.com/uncaptcha-googles-recaptchas/140593/>) and [time again](<https://threatpost.com/googles-recaptcha-cracked-again/128690/>) that they are able to bypass Google’s reCAPTCHA, for instance. Deepak Patel, security evangelist with PerimeterX, said the move from reCAPTCHA to hCaptcha underscores the imperfections with the verification system. “hCaptcha is monetizing the CAPTCHA solving work performed by site visitors in a slightly different fashion from Google; it is allowing for companies other than the website owners to bid for the work performed by the site visitors,” he said via email. “Even as organizations attempt to make challenges [the prompts presented by CAPTCHAS] easier for humans and harder for bots, the reality is that challenges are easier for bots, and people are stuck choosing pictures from a collage and taking further time out of their shopping experience.” Threatpost has reached out to Google for further clarification about the price changes for reCAPTCHA. **_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _****_[A Practical Guide to Securing the Cloud in the Face of Crisis](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_****_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. _**_**[Please register here](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>) for this sponsored webinar.**_ **Share this article:** * [Privacy](<https://threatpost.com/category/privacy/>) * [Web Security](<https://threatpost.com/category/web-security/>)
Microsegmentation and Isolation: 2 Essential Strategies in Zero-Trust Security
Lawsuit Claims Google Collects Minors’ Locations, Browsing History
Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy
Google Updates Ad Policies to Counter Influence Campaigns, Extortion
Lifeline Assistance Phone Users Targeted with 'Uninstallable' Adware
Unpatched Bugs in Oracle iPlanet Open Door to Info-Disclosure, Injection
In multiple settings screens, there are possible tapjacking attacks due to an insecure default value. This could lead to local escalation of privilege and permissions with no additional execution privileges needed. User interaction is needed for exploitation.
In onCreate of ConfirmConnectActivity.java, there is a possible leak of Bluetooth information due to a permissions bypass. This could lead to local escalation of privilege of a pairing Bluetooth MAC address with no additional execution privileges needed. User interaction is needed for exploitation.
Android Security Bulletin—October 2020