Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support hCaptcha #319

Open
dessant opened this issue Sep 25, 2021 · 24 comments
Open

Support hCaptcha #319

dessant opened this issue Sep 25, 2021 · 24 comments

Comments

@dessant
Copy link
Owner

dessant commented Sep 25, 2021

Subscribe to this issue for updates on hCaptcha support.

@Pandapip1
Copy link

Pandapip1 commented Nov 11, 2021

This is not needed. hCaptcha supports an accessibility system that automatically bypasses captchas for you: https://www.hcaptcha.com/accessibility

Edit: Quote from their website

How it works: first, an accessibility user signs up via the accessibility signup page, which is prominently linked in the hCaptcha widget info page. They are given an encrypted cookie that can be used several times per day, but must be refreshed every 24 hours via login.

When a challenge is presented to an accessibility user on any site using the hCaptcha service, they will automatically pass.

@kotx
Copy link

kotx commented Nov 11, 2021

That requires a signup/email, though. It also requires login.

@KaKi87
Copy link

KaKi87 commented Mar 22, 2022

automatically get the cookies method to bypass it

I made a PoC for that once, although it must have broken by now, but I'm just saying it's doable. 👍

@mat926
Copy link

mat926 commented Mar 22, 2022

I see there's already an extension for solving hCaptcha. https://chrome.google.com/webstore/detail/hcaptcha-solver/lfpfbgeoodeejmjdlfjbfjkemjlblijg
Although they don't have their source available , my guess is image recogniziion, but it's hard to say how they do it.

@KaKi87
Copy link

KaKi87 commented Mar 23, 2022

why they had temp-mail?

AFAIK there is no way to get the cookie without receiving an email, so I used a disposable email service to receive it.

@Pandapip1
Copy link

The accessibility cookie is (supposedly) rate limited. This will (likely) not work.

@kotx
Copy link

kotx commented Mar 24, 2022

You need an email to get a link, which is rate-limited and therefore can't be shared. Automating a disposable mail address is how you get that link.

We could maybe make an API to do this (and return a cookie), so the browser extension doesn't need to do all the heavy lifting.

@KaKi87
Copy link

KaKi87 commented Mar 24, 2022

On the contrary, you shouldn't make an API to scrape a rate-limited service, since all requests will originate from the server's static IP address, which will eventually get blocked.

Also, you can't constantly use the same disposable email provider, because it will get detected and eventually banned as well, considering that many of those services already are blocked.

You could submit the form client-side and receive the email server-side, but then the IP address will be blocked by the disposable email providers instead.

So, a fully client-side solution would be the best implementation of the email method, the downside is that you need an actual system app to run a headless browser capable of scraping both hCaptcha and email providers, which would communicate with the extension.

However, I would personally recommend looking for another method than the email one.

@Pandapip1
Copy link

I still don't understand what's wrong with just bookmarking the HCaptcha accessibility URL. If all else fails, maybe the extension could force-whitelist that 3rd party cookie and automatically refresh it from a user-provided cookie URL?

I don't think it's any harder to sign up for the HCaptcha accessibility URL than it is to sign up to any of the speech recognition APIs. Considering the use-case of this extension is improving accessibility, I doubt the utility of trying to do anything more than providing a link to hCaptcha's accessibility sign up page and automatically refresh and force the cookie to load.

Maybe adding some code to implement privacy passes might also be useful, just to reduce the number of hCaptchas shown.

Repository owner deleted a comment from Pandapip1 Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment from Pandapip1 Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment from KaKi87 Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment from KaKi87 Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment from KaKi87 Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
Repository owner deleted a comment Mar 25, 2022
@dessant
Copy link
Owner Author

dessant commented Mar 25, 2022

I have cleaned up the thread and kept the parts that are useful, please only share relevant information going forward.

I agree that automating the signup for the accessibility cookie is out of scope, the most this extension will do is to refresh the cookie if you have already signed up.

The main goal here is to find solutions that involve object recognition.

Repository owner deleted a comment Mar 25, 2022
@Pandapip1
Copy link

Pandapip1 commented Mar 25, 2022

the most this extension will do is to refresh the cookie if you have already signed up.

I'd argue that it should probably implement https://github.com/privacypass/challenge-bypass-extension, if only to reduce the number of hCaptchas shown. I will note that hCaptcha officially supports this protocol.

@kotx

This comment was marked as resolved.

@Pandapip1
Copy link

Pandapip1 commented Mar 25, 2022 via email

@kotx

This comment was marked as resolved.

@Pandapip1
Copy link

Assuming the solver solves it 99% of the time, implementing privacy passes will improve that accuracy to 99.91%. I don't see any downside.

@kotx
Copy link

kotx commented Mar 26, 2022

My mistake, I thought you meant the privacy pass solution would be the only thing the extension would offer. Sounds good now.

@Ezekiel-Game
Copy link

@Ezekiel-Game
Copy link

Ezekiel

it may be malicious i think

@mat926
Copy link

mat926 commented Jun 1, 2022

i dont know anything but i found this https://chrome.google.com/webstore/detail/hcaptcha-solver/lfpfbgeoodeejmjdlfjbfjkemjlblijg

I tried it and there are several issues with it:

  1. Not open source
  2. Doesn't always work ; you don't know what's happening under the hood
  3. Redirects you to gtechmonitor affiliate link before reaching amazon

@Ezekiel-Game
Copy link

i dont know anything but i found this https://chrome.google.com/webstore/detail/hcaptcha-solver/lfpfbgeoodeejmjdlfjbfjkemjlblijg

I tried it and there are several issues with it:

  1. Not open source
  2. Doesn't always work ; you don't know what's happening under the hood
  3. Redirects you to gtechmonitor affiliate link before reaching amazon

i said it may be malicious did i

@Ezekiel-Game
Copy link

and i dont know anything so dont blame me :(

@chirag127
Copy link

It doesn't work because the privacy pass extension broke their code when they added cloudflare and haven't realized it yet. There's an open PR in their repo that fixes it, but it has yet to be merged. Also, the protocol does bypass hCaptchas. Just not all of them :)

Message ID: @.***>

@ so I can install after merging,

@viasux
Copy link

viasux commented Aug 31, 2022

That requires a signup/email, though. It also requires login.

also it allows for them to constantly track you all over the internet

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

9 participants