what will happen when we select wrong images repeatedly in recaptcha? - recaptcha

I had seen a lot of captcha and recaptcha in websites.so, some one tell me is there any danger by repeatedly selecting wrong images in recaptcha.

CAPTCHA stands for Completely Automated Public Turing test. It is used to make sure the request is made by a real person and not by an automated script. It helps to check spam.
For example, in case of facebook after you have hit like for many posts continuously within a small time interval, it will ask to verify you are a real person by showing its captcha. If you fail to select the right image, you will be barred from liking anymore posts till you get the captcha right.
Similarly the danger of selecting the wrong captcha varies according to the websites. In most cases you would not be able to complete the process that you wanted to undertake in the website like signing up, make a new post or book a ticket etc.
For reasons on why people get captcha wrong check this out Why people get captcha wrong?

Related

Force Google Recaptcha Challenge

Is it possible to set some flag in my browser so that I always get the RECAPTHCA image challenges? Sometimes when you click on the "I am not a robot" button, it gives you a pop up challenge with something like "Click all the images which contain a car", but sometimes it just checks off the box and takes your word for the fact that you're not a robot.
I would like to test the UI of my tool both on a desktop and on mobile, and make sure that the challenge pop up shows up and interacts well with other elements of the page.
In other words, as a developer, I want Google to think that I'm a robot so that it always gives me the visual challenge.
Is there any way to force this behavior?
Note: I've done some research and was unable to find any relevant questions or blog posts that might yield an answer.
Force Google recaptcha to use simple checkbox click challenge asks for a way to force Google to NOT use the visual challenge, only the checkbox
How to force recheck user with reCAPTCHA? talks about forcing a recheck of some kind, but has no answers
https://groups.google.com/forum/#!topic/recaptcha/2ed-s3KK3Do actually asks my same question, but users did not seem keen on providing answers, with one user just suggesting not to use RECAPTCHA at all!
https://developers.google.com/recaptcha/docs/faq#id-like-to-run-automated-tests-with-recaptcha-v2-what-should-i-do is straight from Google, but it does exactly the opposite of what I want - it sets your site up such that the captcha appears on the page but is actually a test captcha that always lets you pass, and NEVER gives you the challenge. I want the exact inverse of this.
The methods told here should generally work, but there is no guarantee of the same. There is a very easy way to guarantee that Google reCAPTCHA challenge always show up. All you need to do is to add a custom BOT device in developer tools and then use the same to test.
In Chrome Dev Tools, open Settings. Open Devices after that.
Add a custom device with any name and set User Agent String to Googlebot/2.1
Finally, in Device Mode, at the left of the top bar, choose the custom device that you created (the default is Responsive).
Thanks to the SO users who had put it up in the answer and follow-up comment here.
I too have been looking for similar functionality. While I have not found a code-based solution to force the challenge, I have found a fairly reliable hack.
Grab a VPN tool (I happen to use IP Vanish), then connect to a remote server (I've had success connecting to China). Then, open up a private/incognito window and fill out your form.
From my testing, the combination of the remote IP and the blank user session triggers the challenge.
Here are a few things you can try. In my experience all of them will increase your chances of getting a challenge.
Log in at https://www.google.com/recaptcha/admin and edit your
reCAPTCHA settings. Under Security Preference choose Most Secure.
Use a VPN + incognito mode (as suggested here)
If you're using the invisible reCAPTCHA, I found that using explicit
rendering + immediately calling grecaptcha.execute() after
grecaptcha.render() will usually trigger the challenge. I suspect
this is because Google's AI expects a user interaction of some kind
to trigger grecaptcha.execute() and not the onloadCallback itself.
I use reCAPTCHA's SDK in Android, and I also encounter the need to force validation when testing. I tried it many times. At last, I turned off or turned on the flight mode, which can be verified in the retest. I guess it may be that Google put my IP on the white list in the background, so I passed the verification without any challenge.
That should be possible, because when LinkedIn forcefully logged out an user for excessive usage, it showed captcha on next login, and there always was the challenge.
Unfortunately, LinkedIn switched from Recaptcha to another provider just few days ago, so I cannot just look up into their JavaScript code.
It is what makes me believe that Recaptcha does have an undocumented option to force the challenge.
2022 and later
It seems to be increasingly harder to trigger the recaptcha challenge of the invisible recaptcha. Using the UserAgent of a bot, going into incognito mode is not enough anymore. A VPN might work, but I do not trust free VPN services.
I am however still able to trigger the recaptcha challenge when I'm only using the keyboard while filling in the form fields and pressing the submit button with the enter key. It seems like the Google Recaptcha is now also following your mouse movements to determine if you are a real user. Make sure to never hover your mouse cursor over the webpage and only use the keyboard.
I was looking for something like this and after some research plus trial & error what worked for me is to use the invisible recaptcha and invoke the challenge with JS.
After you have loaded the recaptcha script on your page then do
grecaptcha.execute()
and the challenge might be invoked.

How to read content from reCAPTCHA protected site

My client needs data scraped from a website. I am planning to use php_curl. The problem is, the site is using Google reCAPTCHA. Few powerful data items are visible only when you click "show this information link". then the reCAPTCHA appears in lightbox and vanishes, and information is displayed.
I have checked the source html, the protected item is actually loaded when someone clicks, and there is no way for me to automate this click. I have even tried to open the site in iframe and then use JS to click it, but it fails as both domains are different. I have also tried to use Selenium stand alone version but its downloads are corrupt.
Unless there is a design flaw with the website, the reCAPTCHA will prevent you from scraping the material without human intervention.
Technically, your best bet is to employ humans to solve CAPTCHAs all day and write some software to automatically scrape the material it protects for each one they solve. A number of viable businesses have been created this way, where the data is valuable and there is a genuine public interest in opening the data-set. (For example I heard that flight companies use CAPTCHA devices to prevent price comparison sites from driving down the cost to the consumer, and I'd argue in such a case there is an overwhelming public interest to defeating such defences).
Morally, however, you would need to tell us what you are doing in order for us to advise you. It is possible your client is merely planning to steal other people's material and then attempt to monetise it for him/herself, even though they had no hand in creating it. That may breach some copyright laws, but moreover, they (and you) need to decide if the scraping is fair.
I am facing the same problem but resolved it using clear my cookies in httprequest in useragent after clear cookie wait time function (tread sleep) for some time and then start scrapping again. But I am doing this in C#, not in PHP. Applying this logic may help you.

Started using App on facebook?

Now, I see many apps that will say "started using [Name of App] "Is that simply a call to StreamPublish or is there a new function call to achieve this?
I am currently using facebook to allow people to log in with their facebook accounts similar to turntable.fm and then going to my webpage. How do I make it so that other friends can see that they started to use the application, I have not been able to find this anywhere.
There is a setting on your application for "social discovery". Enable it and those posts will show up.
sorry, this is not an answer but clarification of the questions and answers (I don't seem to have enough points to be able to comment)
Firstly I'd like to say that if you are developing a Facebook app this would seem to be a very important question as it would have a huge impact on the virality of your app. It would mean that every single registered user is potentially advertising your app to each of their friends. Without out this happening your only options for viral spread through facebook are:
asking for 'publish_stream' permission and using the 'Post to wall' API call. Asking for this may deter many users from using your app in the first place.
User initiated sharing (like button, post to wall). Unless your app was amazingly awesome you'd be lucky to get a 5% rate with this (as opposed to the 100% rate you'd get with the mysterious 'started using' feed post)
I created a fake account for testing, created a facebook app (as a webpage, not as a facebook app/iframe), made sure social discovery was enabled, but I could not see any activity on my ticker or my feed. However, I did learn that there is a thing called the 'canvas ticker' which is completely separate from the 'main' ticker and can be seen when you use any facebook iframed-app. A notice did appear in the 'canvas ticker' but it said 'a is using b' not 'a started using b'. Getting a message on the 'canvas ticker' is not nearly as significant as getting a 'main ticker' or news feed post as relatively few people use 'facebook iframe apps'. I thought that this is what I must have remembered seeing (not seeing 'started using' in my news feed or main ticker), so I gave up worrying about it.
However, recently I started using Graph API Explorer http://developers.facebook.com/tools/explorer/ and a 'started using' post appeared in my alter-ego's news feed. That is exactly what I remember seeing with other apps ('started using' rather than 'is using') but it seems to be quite a rare occurance. I'm not sure if anything appeared in my alter-ego's main ticker.
Now I am really confused. This feels alot like figuring out how google's pagerank algorithm works.
update:
this link has proved quite useful: http://developers.facebook.com/blog/post/410
I think 'started playing' only applies if you app is set to having the 'games' category. Apparently these 'started playing' stories only show on the newsfeeds of people who have already started playing the game. So they can't really be of much use to gaining new users (as only user who are already using the app see it). However, the blog post states,
"By showing fewer but more impactful News Feed stories based on
friends’ activity and social context, we hope to drive new user growth
for games. For example, instead of the typical story saying that
someone just bought a new item, it could say “Dave, Jonny and 3 other
friends” just started playing a game."
I am really confused by this. How can the 'started playing' story possibly 'drive new user growth' if they only appear to people who are already playing??
The 'x started using Graph API Explorer' seems to be a really odd one. I think because it's an app made by Facebook it has special priority and that's why it showed as a story in all of my friends's newsfeed. I've been installing a lot of non-game apps to see if the 'started using' story appears but I could not find one that did. I'm now not sure if I ever remember seeing a 'started using' story. I installed games such as Farmville and Sims Social and yes i did see a 'started playing' story on my alter ego's newsfeed.
Why is that incredibly hard to find blog post above not part of the official documentation? And why doesn't the blog post explain exactly how things work with good and thorough examples instead of being really vague. I think every app should have an equal chance for viral growth without having to spend hours conducting psuedo scientific experiments with fake user accounts just to figure out how things works because the documentation is poor. I'm sure players like Zynga have the resources to figure out facebook inside and out but this is getting really frustrating as a sole developer.
This is why I'm hoping for a day when the prominent social network's code is open source. Nothing beats being able to directly read the source code when documenation is poor. That is one of the great things about open source.
Hey this is a common question I hear from my clients whom I write FB apps for.
It's called the FB User Discovery Story and it's automatic. Facebook eventually enables it for applications. There's nothing you can do to make sure it's displayed and it's visibility is effected by the evoking users privacy settings as well as the receiving users settings.
Also, note that it does not require your application being in the app directory.
The new facebook application interface allows you toggle the feature on and off but it still relies on the users settings as well.

Why is CoreGui RobloxLocked in the DataModel and why can't trusted users use CoreScripts?

We should be able to access some of it so that we can edit the placement of each GUI object inside of CoreGui. So, other than security reasons, why are we not allowed to edit placement of GUI objects?
Also, why can't trusted users use CoreScripts? What if they need to access HttpGet so they can provide a nice display showing where their best friend is at the current time and place? SocialService won't always do the trick.
Can a developer (or any other experienced Roblox player, particularly one that knows the UI in and out) please answer these questions to the best of his/her ability?
I asked this in the OBC cast, specifically about editing the UI inside CoreGui. I'm not sure what security reasons could be preventing this, however. They did reply - the answer was, "Well, we definitely don't want you moving the little help icon, or the exit button."
I got the feeling the general reason is because users would become confused if everything was misplaced. For example, if you went into a website where you could play several games all made by that company (like ROBLOX), would you expect the exit or help buttons to me placed differently in every game?
They did say we will be able to change the colours.
Hope this clears things up.
Some GUI objects like the report abuse button we don't want users to have the ability to be able to remove. Another sensitive area is the chat window. If it was completely scriptable, you could write a script to make it look like another user was saying something that he wasn't. This is not really desirable.
HttpGet is currently a privileged function for two main reasons:
It would allow users to get dynamic content into levels, which would make moderation a more difficult task.
Poorly or maliciously written scripts could HttpGet roblox.com in an infinite loop, sapping our server resources.
There was no obvious benefit, but some obvious downsides. We prefer to solve only the problems that need to be solved in order to ship features, so we err on the side of caution for things like this. If we later decide to open up new functionality, like making the ROBLOX social graph available through an API, we can do that with a dedicated interface that limits the number of requests you can make to the website in a given period, and only return the info that we are sure we want you to be able to get.
It's interesting to note that for a very long time Adobe Flash player didn't support TCP sockets for the same reason.

How to know quantity of users with turned off images in browser?

I'm working on the quite popular website, which looks good if user has turned on "Load images" option in his browser's settings.
When you try to open the website with "turned off images" option, it becomes not usable, many components won't work, because user won't see "important" buttons(we don't use standard OS buttons).
So, we can't understand and measure negative business impact of this mistake(absent alt/title attributes).
We can't set priority for this task - because we don't know how much such users comes to our website.
Please give me some advice how this problem can be solved?
Look in the logs for how many hits you get on a page without the subsequent requests from the browser for the other images.
Of course the browser might have images cached, so look for the first time you get a hit.
You can even use IP address for this, since it's OK if you throw out good data (that is, hits that are new that you disregard). The question is just: Of the hits you know are first-time, how many don't get images?
If this is a public page (i.e. not a web application that you've logged in to), also disregard search engine bots to the greatest extent possible; they usually won't retrieve images.

Resources