YYaaa News

Google's new hand-gesture reCAPTCHA — 21 keypoints, defeated by a stock photo

TL;DR

Google launched a hand-gesture reCAPTCHA on June 19, using 21 MediaPipe hand keypoints for liveness. Neowin bypassed it on first try by holding a stock photo of a hand in front of the camera.

Google rolled hand-gesture verification into reCAPTCHA on June 19, sitting inside Google Cloud Fraud Defense. Sites that adopt it can replace stoplight-grid puzzles with a camera prompt asking users to gesture in front of the lens. Under the hood, MediaPipe Hand Landmarker extracts 21 hand-knuckle keypoints to certify a live human.

Google draws the privacy line hard in its docs: "The videos are never associated with a user's identity and are deleted after the verification process. Audio is never recorded." Camera footage is used once, deleted, not tied to identity, no audio, no third-party sharing. Users who can't complete the gesture fall back to the existing visual and audio challenges.

The problem is the substance. A Neowin tester held a static stock photo of a hand in front of the webcam and the challenge cleared. The 21-keypoint model doesn't check whether the joints belong to a living finger — there isn't even a blink-tier liveness gate. 80.lv echoed the concern on June 22: "it's not really clear how well this would hold up against virtual cameras and AI-generated animations that can mimic hand gestures." The feature shipped as a deepfake countermeasure and got tripped by a JPEG on its first public test.

Two community objections fire at once. Cybernews, Reddit, and X readers don't want to hand camera permissions to an ad company in exchange for a humanity proof; reCAPTCHA already runs invisible behavioral scoring, and pulling biometric capture into the loop pushes the whole flow into GDPR grey zone. Google has not commented on the stock-photo bypass.

If it works, camera-based gesture verification becomes reCAPTCHA's next moat against agentic browser bots, and Cloud Fraud Defense adoption pulls it across every Google reCAPTCHA site. If it doesn't, this is the seed of the most expensive GDPR fine in Google's history — camera permission taken, stock photo still let through.

via Cybernews / Google Cloud Docs / Neowin / Help Net Security / 80.lv
Google reCAPTCHA 首次要看你的手|21 個關節點驗證上線,被一張庫存照繞過