Evil reCAPTCHA: Weaponizing Trust and the Clipboard
PROJECTSBLOGS
In a world where users are trained to “trust the checkbox,” I decided to flip the script.
We’re so used to seeing reCAPTCHA that we barely think twice before clicking “I’m not a robot.” That’s exactly what I leveraged — muscle memory, blind trust, and a clever combination of JavaScript and clipboard manipulation.
The Setup: Fake Login + Fake CAPTCHA
I built a clean, minimalistic login page. Everything looked legitimate — username field, password input, and added a familiar checkbox with the iconic “I’m not a robot” line to the website.
Here’s the twist:
The checkbox wasn’t a real reCAPTCHA at all. It was just a styled div with a few lines of JavaScript behind it. And that’s where the magic began.
When They Click the Checkbox…
The moment a user clicked the checkbox, three things happened:
1. A custom payload was instantly copied to their clipboard.
They see instructions on what to do next in other for them to be verified.
It looks harmless — maybe a standard verification script, right? But what they just pasted was something entirely different.
The Payload: Social Engineering Meets Scripting
The copied payload could be anything. Some examples I tested:
- Opening PowerShell and making the victim Pc send me some data
- Adding a new hidden user to the system
Why It Works
People trust reCAPTCHA. They don’t expect a checkbox to trigger clipboard actions or to guide them into executing commands themselves.
This isn’t just hacking code — this is hacking psychology.
They believe they're the ones in control. That’s the genius of this method:
> You don’t run code on their machine — they do it for you.
Final Thoughts
The Evil reCAPTCHA project isn’t about tricking users — it’s about showing how blind trust and predictable behavior can be exploited, even in the most familiar interfaces.
Never forget:
> Sometimes the most dangerous malware… is trust.
Stay smart. Stay suspicious.