Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Testing those same captcha on Google Chrome improved my accuracy by at least an order of magnitude.

Either that or it was never about the buses and fire hydrants.



It's a known "issue" of reCaptcha, and many other systems like it. If it thinks you're a bot, it will "fail" the first few correct solves before it lets you through.

The worst offenders will just loop you forever, no matter how many solves you get right.


stock Chrome logged into a Google account = definitely not a bot. here, click a few fire hydrants and come on in :^)

I sincerely wish all the folx at Google directly responsible for this particular user acquisition strategy to get every cancer available in California.


I would think that when you're viewing recaptcha on a site, if you have 3rd party cookies disabled the embedded recaptcha script won't have anyway of connecting you with your Google account, even if you're logged in. At least that's how disabling 3rd party cookies is supposed to work.


Of course, if you have 3rd party cookies disabled, Google would never link your recaptcha activity to your Google account.

They just link it to your IP address, browser, operating system, screen resolution, set of fonts, plugins, timezone, mouse movements, GPU, number of CPU cores, and of course the fact you've got third party cookies disabled.


Isn't Chrome shifting to blocking 3rd party cookies by default? If that's the new default than the default behavior would be that being logged into Google isn't used as a signal for recaptcha


Do you really think they won't make a hidden whitelist for their own domains?


There'd be no way to hide this. If 3rd party cookies are disabled it's trivial to observe if an embedded google.com iframe is sending my full google.com 1st party cookies in violation of the 3rd party cookie settings. There's no pinky promises involved, you can just check what it's sending with a MITM proxy.

I'm sure they're doing other sketchy things but wouldn't make sense to lie in such a blindingly obvious way. (I just tested it, and indeed, it works as expected)


So like X-Client-Data which in many cases uniquely identified you but was, pinky promise, never used for tracking. Sent only to Google domains.

https://9to5google.com/2020/02/06/google-chrome-x-client-dat...


that would fall under "I'm sure they're doing other sketchy things".


"Oh, that's interesting...there is one other user that matches all of that metadata"


That's because Chrome tracks so much telemetry about you that Google is satisfied with how well it has you surveilled. If you install a ton of privacy extensions like Privacy Badger, uBlock, VPN extensions with information leakage protections, etc., watch that "accuracy" plummet again as it makes you click 20 traffic signals to pass one check.


I stop going to sites using that method due to this. I have no intention of proving I'm a human it I have to click several dubious images 3-4 times in a row.


Yeah, we've looked at it in the context of reCAPTCHA v3 and 'invisible behavioral analysis': https://www.youtube.com/watch?v=UeTpCdUc4Ls

It doesn't catch OpenAI even though the mouse/click behavior is clearly pretty botlike. One hypothesis is that Google reCAPTCHA is overindexing on browser patterns rather than behavioral movement




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: