
Hacking Google ReCAPTCHA v3 Using Reinforcement Learning - ArtWomb
https://arxiv.org/abs/1903.01003
======
mosselman
"Our proposed method achieves a success rate of 97.4% on a 100x100"

I think that is higher than what I get when I do it myself.

~~~
westondeboer
I can never get the street lights one, and then it gives me the bus one, which
i can never get right either and then finally it gives me the bus one. Which I
am 100% at, maybe.

~~~
fortenforge
this is ReCAPTCHA v3 which does not include any of the image recognition
tasks. It's just a matter of clicking the checkbox

~~~
kevingadd
Typically if you "fail" the checkbox (which somehow happens to me a lot) you
get the bus and street lights and such that the other posters are referring
to. What are those if not ReCAPTCHA v3?

~~~
yorwba
reCAPTCHA v2 apparently. reCAPTCHA v3 is advertised as never interrupting
users at all:
[https://developers.google.com/recaptcha/docs/v3](https://developers.google.com/recaptcha/docs/v3)

Which is kind of horrible, since it means that you might not be given an
obvious opportunity to change your score if you fail.

~~~
llaqb
>reCAPTCHA v3 is advertised as never interrupting users at all

That's got to be a joke, since I have to pass the challenge like 99% of the
time, not exaggerating. Of course, I have my browser configured in a privacy
conscious way, so...

~~~
yorwba
If you can see a challenge, it must be reCAPTCHA v2 instead.

~~~
solarkraft
So does v3 fall back to v2 if you fail it?

------
ve55
ReCAPTCHA is one of the worst things that has happened to the Internet. Please
consider an alternative if you are a webmaster that has a choice. It's
overkill for most purposes.

~~~
cadence-
What’s the alternative?

~~~
robin_reala
Fairly simple: not having CAPTCHAs. By including them you externalise your
business costs onto your users.

~~~
alanpetrel
So how do you stop bots from submitting fake data to sign up forms or trying
to brute force password fields etc. on websites?

~~~
the8472
> brute force password fields

rate limit

> stop bots from submitting fake data to sign up forms

I don't think there's an universal solution here. it depends on the
application itself and why you consider fake signups an issue in the first
place.

~~~
j88439h84
Rate limit by what? Username? IP?

~~~
the8472
per user if you want to defend against targeted attacks. per IP if you want to
prevent untarged attacks. so, both.

add an email-reset for the limit so users can't be locked out of their
accounts by a DoS.

------
slivanes
This is confusing because ReCATPCHA v3 is non-interactive:
[https://developers.google.com/recaptcha/docs/v3](https://developers.google.com/recaptcha/docs/v3)

~~~
ah-
I always assumed it used your IP, tracking history etc. to decide. Am I wrong
about that?

~~~
slivanes
I'm sure it takes that into account, plus whether you are logged into any
google account with associated meta information about you at the time.

It also learns about typical usage on that page, it trains about usage
patterns, mouse movements etc.

We find it very effective in eliminating bot spam.

~~~
pdkl95
It's also very effective at excluding people like me. Even when logged in to a
Google account with a very benign history (mostly used to watch youtube) with
years (>4) of regular activity, Google won't[1] even _attempt_ reCAPTCHA (any
version) because they think my browser isn't one of the handful of specific
browser versions they support[2]. The actual browser version is fine, it's
configured similar to the Tor browser minimize data leaks and browser
fingerprinting. So I cannot use any site with reCAPTCHA not because of any
technical limitation; unless I "upgrade"[1] to a configuration that leaks a
lot more data.

[1] [https://imgur.com/9wT9yZ2](https://imgur.com/9wT9yZ2) [ignore font/layout
issues in that image - my usercss and fontconfig/freetype font rendering
settings are very unusual, complex, and often very disruptive]

[2]
[https://support.google.com/recaptcha/?hl=en#6223828](https://support.google.com/recaptcha/?hl=en#6223828)
"We support the two most recent major versions of the following: [Desktop:
Chrome, Firefox, Safari, Edge]"

------
gurpreetsatwal
I don't have much data to back this up, but I but I've noticed that I get the
recaptcha challenge and almost every single time when I use Firefox. Whereas
if I use Chrome I only get it once after not using Chrome in a while.

Also on Firefox mobile, not only do i get the challenge, but I get multiple
challenges.

------
jgowdy
I'm somewhat glad to hear I'm not the only one who has been subjected to
extremely excessive recaptcha tests according to these comments. Especially
when I'm filling these out just to login to websites of which I'm a customer.
I get it for ordering, but if you put this on your customers logging in, it's
like you're _begging_ for cancelations. Google is the one determining your
paying customer's user experience.

And if I pass your captcha, can you not cookie me with a signed token
indicating that I already proved I was human for 30 days? It's like these lazy
people can't handle bot login spam, so they just throw recaptcha on their
login form and call it a day.

If your login form requires paying customers to fill in recaptcha each time,
you're doing it wrong. Please stop. Or go out of business faster.

~~~
Sylamore
The fastest way for me to get flagged is to request the audio test instead of
the visual test, More than 7 out of 10 times it will halt and say my computer
is sending automated queries and that I should try again later.

I've even gotten caught in a reCAPTCHA loop where I successfully complete the
capctha only to have to redo it again as soon as the page reloads.

------
xdrxd
I wonder how to setup browser history, cookies and Ip address in chrome. You
some got idea please share.

