Google CAPTCHA - is this a “Man-in-the-Middle” Attack?
In order to showcase my skills and experience on the “Web”, I have created a website using a well-known “Self Build” website provider. With this provider I can easily edit and publish my website at a very reasonable price so I was very satisfied - that is until the weekend just gone.
During last week I had trouble accessing some metrics on my site and then at the weekend I had trouble logging in. I contacted the helpdesk and informed them that I use “IE 11” as I didn’t like the invasiveness of the newer Microsoft browsers – like “Edge”. I was advised to try “Firefox” to log in - which I did and was confronted with a “CAPTCHA” screen as a security device to check if I was a “Robot” or not.
It all seemed reasonable until I noticed at the bottom of the screen that if I clicked “Log in with Captcha” I would be accepting Google’s private policy and terms of use. The following is an excerpt of what this means – found at https://termsfeed.com/blog/privacy-policy-recaptcha/
How “Invisible Captcha” Works
Invisible Captcha, or reCAPTCHA, requires end-users to click a button that says “I’m not a robot” and Google can determine whether to prompt the user with additional question (i.e. select pictures that best describe X) to verify if that person is in fact not a robot.
ReCAPTCHA collects personal information from users to make this determination of whether they’re human and not a bot.
So, what personal information does the reCAPTCHA collect?
First, the reCAPTCHA algorithm will check to see if there’s a Google cookie placed on the computer being used.
Then, an additional reCAPTCHA-specific cookie will be added to the user’s browser, and a complete snapshot of the user’s browser window at that moment in time will be captured, pixel by pixel.
Some of the browser and user information collected at this time includes:
- All cookies placed by Google over the last 6 months,
- How many mouse clicks you’ve made on that screen (or touches if on a touch device),
- The CSS information for that page,
- The date,
- The language your browser is set to,
- Any plug-ins you have installed on the browser, and
- All JavaScript objects
================================================================
Note: it says – “Some of the browser and user information collected at this time includes”, what are they really collecting?
So to put it all into context:-
- I am paying for and using a website to conduct my business
- That website implements an extra layer of security
- That layer of security protects the website
- That layer of security forces me to accept Google’s “private policy and terms of use”
Whoa – the website is implicit in forcing me to accept a Google product and policy that I do not wish to accept. The result – I can no longer log into the web service that I am paying for unless I allow Google to STEAL my information.
So, if I accept the use of the Captcha, Google becomes “the man in the middle”
How clever is that - producing a security tool (that is used by many third parties) to gain access to information, even if the end user has no Google “Apps or Cookies” present on their hardware.
In my opinion this should be outlawed right now!!
What do you think?