Finally it's available and the blog post disappointed me a bit. Here's Wordpress registration page successfully using No CAPTCHA.
Now let's open it in incognito tab... Wait, annoying CAPTCHA again? But i'm a human!
So what Google is trying to sell us as a comprehensive bot detecting algorithm is simply a whitelist based on your previous online behavior, CAPTCHAs you solved. Essentially - your cookies. Under the hood they replaced challenge/response pairs with token "g-recaptcha-response". Good guys get it "for free", bad guys still have to solve a challenge.
Does it make bot's job harder? No at all. The legacy flow is still available and old OCR bots can keep recognizing.
But what about new "find a similar image" challenges? Bots can't do that!
The thing is No CAPTCHA actually introduces a new weakness!
Abusing clickjacking we can make the user (a good guy) generate g-recaptcha-response for us - make a click (demo bot for wordpress). Then we can use this g-recaptcha-response to make a valid request to the victim (from our server or from user's browser).
It's pretty much a serious weakness of new reCAPTCHA - instead of making everyone recognize those images we can make a bunch of good "trustworthy" users generate g-recaptcha-response-s for us. Bot's job just got easier!
You're probably surprised, how can we use 3rd party data-sitekey on our website?
P.S. Many developers still think you need to wait a while to get a new challenge.
@homakov I've used them in the past, accuracy is about 80% and response time about 10 seconds per attempt. Still too slow for some attacks.In fact you can prepare as many challenges as you want and then start spaming later. It's another reCAPTCHA weakness that will never be fixed.
— Stephen de Vries (@stephendv) December 4, 2014
"ERROR: Invalid domain for site key"
you're using an outdated browser? Read the last paragraph - we need referrer=never to bypass their "protection"Delete
I got that error too and I'm using Firefox.Delete
hmm maybe because i don't use proper markup. Anyway it *is* solvable, there's always a way to kill referer, we can use data:text/html after all. For demonstration please use chrome :)Delete
yep, works in chrome. Used FireFox 33.1 before.Delete
Why don't they require referrer headers to be present and to match the domain, rather than only checking for a mismatch if they are present -- too many addons/proxies that strip them?ReplyDelete
They don't do image likeness ones because generating those data sets is very complex and that cat one, while cute, probably took a day to create, and would take a spammer like 2 minutes to be able to handle that particular question if it comes up in the future.ReplyDelete
This might interest you:ReplyDelete
Repository doesn't exist (anymore?)Delete
How i can activate it on blogger.com?ReplyDelete
According to my tests this works fine for like 3/4 consecutive times a given "good-guy" user solves a captcha. Then it seems to show me a captcha always. If this is the case, this technique is almost worthless for me.. Need too many good guy users to do any decent spamReplyDelete
Hello, I have problem with "Invalid domain" on Chrome 43.0.2357.130 mReplyDelete
This "Invalid domain" bypass doesn't seem to work anymore.ReplyDelete