[grimtrigger]

It seems like they're using cursor tracking to validate human-ness. Assuming thats the case: Since the cursor is outside of javascript's control, it would force the attacker one level higher (to the browser/os, instead of the dom). Not impossible, but still a significant barrier.

[fatratchet]

Not really, you would just need to reverse the js code, look at what data they actually send to google and randomly generate appropriate data like mouse movements.

[grimtrigger]

Ah, good point