> 4. Solves CAPTCHAs via CapSolver (AI-powered, ~$0.001/solve)
Right, so my suspicion was correct: I'm the only one being inconvenienced by the same old captchas.
> 4. Solves CAPTCHAs via CapSolver (AI-powered, ~$0.001/solve)
Right, so my suspicion was correct: I'm the only one being inconvenienced by the same old captchas.
It depends on the CAPTCHA, but there's a reason why Apple, Cloudflare, and Google are shifting towards remote attestation for proof-of-humanity.
The reCAPTCHA v3 Enterprise version and MtCaptcha cost a whopping 3x as much ($3 per 1000 solves). Seems like they're the best CAPTCHAs to go for.
recaptcha v3 will require the human to have a Google certified android device (i.e. no GrapheneOS or LineageOS etc.) and a dedicated iOS app which leaks device ID and other data.
Google will get to know every user browsing the web and link it to a smartphone. Since they’re rolling out government issue ID verification at the OS level, this change will allow Google to identify a random web visitor to a govt ID.
https://support.google.com/recaptcha/answer/16609652?hl=en
More info on how an iOS app can leak device ID? I thought Apple did away with access to device IDs and only provides a per-developer ID.
It’s in the Apple app store App Privacy disclosure [1]
Location (“coarse location”), identifiers (“device id, user id”)
^ both are deemed a necessity for app functionality, with deviceID required for analytics too.
[1] https://apps.apple.com/us/app/recaptcha/id6746882749
I don't see "device id" on that page, just "Identifiers"
I don't believe that iOS apps get a stable device ID. It may be that Google is generating one, and it can be shared across Google apps. But I'm pretty sure there is no global device ID that's common across all apps.
The original point stands that if you use recaptcha and you're signed in to a Google account on the device and you then use another Google app and you've done some form of identity verification with Google, then Google could link identity to recaptcha.
But I think the claim was over-broad about device ID.
The "device ID" part is probably false and a red herring. What actually matters is that google can correlate which challenges a given device is solving, so if it's solving 10k challenges per day, it can be marked as being suspicious.
Sounds pretty much like they're identify the device, then. Or is "device id" Apple lingo for a specific tech?
No, on both android and ios device id implies some sort of identifier that's reusable across apps. Otherwise a uuid that you generate and write to storage could qualify as a "device id".
So, essentially a super cookie? That is, generated once (at random or arbitrarily) and then included with proof of work? But not a fingerprint or otherwise linked to identity?
But then that would not work against correlating fraud detection as sketched above. A client could simply reset the app every now and then to generate a new UUID.
>So, essentially a super cookie? That is, generated once (at random or arbitrarily) and then included with proof of work?
You're just describing a regular cookie.
>But not a fingerprint or otherwise linked to identity?
You'll have to reverse-engineer the app to figure out whether it's actually fingerprinting, and whether it's fingerprinting to make sure it's a real device (vs emulator) or it's fingerprinting to uniquely identify someone. I suspect they're complying with app store guidelines and not doing the latter, because it's not worth the PR hit to just to vaguely improve a product responsible for <1% of their revenue.
>But then that would not work against correlating fraud detection as sketched above. A client could simply reset the app every now and then to generate a new UUID.
The attestation result contains a count of attested keys generated in the past 30 days, which detects this case without a "supercookie" that persists across uninstalls.
https://developer.apple.com/documentation/devicecheck/assess...
> You're just describing a regular cookie.
Yes regular cookie from Google's perspective, but super in that it works across sites. If for some reason you don't just take Google's word you might suspect they collude and share / sell your identity to the site as well...
> The attestation result contains a count of attested keys generated in the past 30 days, which detects this case without a "supercookie" that persists across uninstalls.
Ah. So there is something special limiting control over the UUID? Or is there some way of correlating the physical device to the attestation history?
Why wouldn't I be able to reset and re-enroll in the app and then have it generate me a fresh new cookie attestation history?
>Yes regular cookie from Google's perspective, but super in that it works across sites. If for some reason you don't just take Google's word you might suspect they collude and share / sell your identity to the site as well...
That's just third party cookies.
>Why wouldn't I be able to reset and re-enroll in the app and then have it generate me a fresh new cookie attestation history?
You can get a new uuid, but then that'll be associated with a key that has a high attestation count, which is also suspicious. It's like detecting spam from an account that has 1000 posts in 1 hr vs an ip that created 1000 accounts in one hr making one post each. Both are suspicious.
I still don't get how those 1000 posts tallied with previous UUID would get correlated with the new UUID. If it's only source IP address or similar finger prints, those are relatively easy to get rid off, hide, renew.
(At least, when your goal is to do as many fake attestations as possible rather than use your device for something more useful)
>I still don't get how those 1000 posts tallied with previous UUID would get correlated with the new UUID.
The point is that you can flag accounts/uuids based on monthly attestation count alone, without correlating all the posts to a given account/uuid.
Yes, but isn't there an unplugged hole in the account creation (or fresh install) if that gets you a new UUID with 0 monthly attestation count?
You buy a new phone, install the app, and get an uuid with 0 attestation count. Now what? If you try to use that uuid to farm attestations, it'll be easily linked to that uuid. If you try to uninstall/reinstall, the attestation count will count up, eventually making making the newly created uuids immediately suspicious. You might try to create one uuid per month and then try to farm those indefinitely, but they could require you to reattest every month, which should come back with 0-1 attestations, but if you were farming uuids that'll be immediately caught.
I guess I just misunderstand what is being attested. Is the attestation proving that your randomly assigned UUID belongs to a human, or conversely, does a proof of work simply prove that your device "owns" some UUID?
So at 3x times the monetary rate, Google is literally selling it's customers?!
>Google is literally selling it's customers?!
You can characterize this commercial arrangement as whatever you want, but not meaningfully different than what they had before, where they were getting users to click boxes and charging businesses per "verification".
Captchas are getting so annoying and puzzling they will soon prove you're unlikely to be human if you pass them.
Its only Google's ReCaptcha that sucks, with its eternal gaslighting.
"Select stairs": okay, does that mean the railing too? And probably some percentage of people clicked rails, so now I have meta it and guess if that percentage is enough to throw off my guess.
"Select motorbike": okay, but you're showing me a bicycle. I'll click "skip". FAIL. TRY AGAIN. Sighs.. okay, I guess the average person is so dim-witted they will misidentify a bicycle for a motorbike.
It’s not just Google. Look at Arkose, which are not only difficult for humans to solve, they’re difficult for humans to even understand (“move the particle to the correct orbit”).
> "Select stairs"
And the "correct" pictures all shows steps, not stairs.
> "Select motorbike"
And the "correct" pictures all show mopeds, not motorbikes.
Christ, don't get me stated on taxis that aren't black, fire hydrants that aren't a yellow H sign (apparently I'm supposed to look for something like a yellow painted R2D2) and WTF is a "crosswalk" (a pedestrian crossing?).
>with its eternal gaslighting.
That's not gaslighting.
>And probably some percentage of people clicked rails, so now I have meta it and guess if that percentage is enough to throw off my guess.
No, there are multiple accepted answers.
> That's not gaslighting.
It is gaslighting me into thinking I gave the wrong answer.
> No, there are multiple accepted answers.
Nope, even for very simple things like "select all fire hydrants" (which are extremely obvious) or "select all images with cars" (with the images only being images completely devoid of cars or only cars, no lorries or busses), you still get a fail.
I assume you work on Captchas, which makes it extra cute you're trying to gaslight me about the built-in gaslighting :). It is really obvious too because it doesn't happen when not using a privacy browser and/or VPN.
At any rate, I hope you internalize that your work has made everyone's everyday life a little more miserable. A net negative to society.
I think my browsing habits may have changed, as I rarely see captchas. However, just the other day, my son was frustrated by one that he said had taken him fifteen or more tries, and he still hadn't succeeded.
Yeah, that is a very common complaint about Google's recaptcha. If they don't like you, they actually just send you through an infinite failure loop, even though you keep solving them correctly.
Roblox, by far, has the strangest and most difficult to solve.
Some chess sites make you solve a checkmate problem for a captcha. Are those automated now, or is that a good method?
Isn’t chess easy now for computers? How can that be a good method?
Makes it tempting to buy paid captcha solving just to enjoy life more
Google has a new captcha coming down the line that requires a phone connection and scanning of a QR code.
Looks like they have a browser extension! https://www.capsolver.com/products/browser-extension