Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to enable audio CAPTCHA. #685

Closed
stormsz opened this issue Apr 7, 2019 · 45 comments
Closed

How to enable audio CAPTCHA. #685

stormsz opened this issue Apr 7, 2019 · 45 comments
Labels

Comments

@stormsz
Copy link

stormsz commented Apr 7, 2019

AMihail1's solution, slightly edited by Pants

  • privacy.resistFingerprinting - false
  • privacy.firstparty.isolate.restrict_opener_access - false
  • privacy.firstparty.isolate - false
  • dom.targetBlankNoOpener.enabled - false
  • dom.webaudio.enabled - true
  • and google.com/recaptcha & gstatic.com/recaptcha 3rd party stuff whitelisted in extensions
  • also google likes 3rd party cookies for their services to run
  • also don't mess with windows.name (script, CanvasBlocker: whitelist it)

So i'm a long time user of https://github.com/dessant/buster and wanted to make it work with this user.js.

the problem

when i try to load the audio captcha it get this error:

Your computer or network may be sending automated queries. To protect our users, we can't process your request right now. For more details visit

i cant find the options that are related to this issue, would be grate if someone could help me.
thanks a lot

edit: also the audio captchas and buster work great when i dont have this user.js enabled.

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Apr 8, 2019

reCAPTCHA is a beast. Personally I refuse to interact with it - and when I really have to, I use a secondary browser (maybe three times a year). I know this doesn't exactly help you. But let me continue.. because you're in for a world of hurt (maybe)

Here's the thing. It's fucking google and they are a biased bunch of wankers. Read this -> #7 (comment)

I recently signed up for a trail trial on a browser compatibility site: so I could test things using Macs etc. I did not need to use captcha or anything, but I was denied my free trial until I emailed them and they said I was flagged as suspicious (all I did was signup? WTF?) - and I had to explain what I was going to use it for. I suspect my IP is flagged, courtesy of google - because, here's the kicker - I used a vanilla Opera (with adblocking disabled on the site) so I wouldn't have any issues.

Once your Firefox if flagged as "suspicious", it's going to take a while for it to be unflagged. So testing changes and getting valid responses might be difficult.

I have very little patience or experience with reCAPTCHA (like I said I avoid it like the plague), but first off you will need to allow all the code (google apis, etc) if you are blocking anything. Then I would look at turning

  • privacy.resistFingerprinting - false
  • privacy.firstparty.isolation -> false
  • security.ssl.disable_session_identifiers -> false ("may be sending automated queries" sounds a bit iffy)
  • dom.webaudio.enabled -> true (Do you need Web Audio API?)

That's for starters, and may work. And you may only need one or two of them. Do you have a gmail account? With FPI off, and you logged into gmail, you might get some respite. Just thinking outside of the box here.

In all honestly though, depending on how much you encounter it, the trade-off in privacy is not worth it IMO. Google are just evil assholes, and they know it, and abuse it.

Let us know how you get on

PS: Do you have a test site for this: I wouldn't mind trying in a vanilla Firefox. I guess https://patrickhlauke.github.io/recaptcha/ does the trick, right?

@Thorin-Oakenpants
Copy link
Contributor

Just for fun: in a vanilla Opera profile: pictures

  • try 1: 5 sets of images, failed, try again
  • try 2: 1 set of images with squares being replaced, very very slowly replaced, so it took me over a minute, and about 9 clicks - success

@ghost
Copy link

ghost commented Apr 9, 2019

I can't get Buster to work at all - I see "This page can't ..." in the box where the CAPTCHA should be ...

CAPTCHAS also insanely long and annoying with:

privacy.resistFingerprinting -> false
privacy.firstparty.isolation -> true
security.ssl.disable_session_identifiers -> false

@Thorin-Oakenpants
Copy link
Contributor

privacy.firstparty.isolation -> true

I would have thought you would want that as false.

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Apr 10, 2019

I've reading a lot of stuff, and twice I almost came in here to point to something on reddit or elsewhere about this, and to close the issue. Third times the charm...

https://news.ycombinator.com/item?id=19614808

Just have a gander thru that, from the top, just scan down a little and spot the words google or captcha (its not far down, and I didn't read much further myself). The truth is that google is hostile to anything that it senses is not "normal", and normal to them is being able to track you. One user mentions "google ban hell" (been there, done that, many times).

Here are some quotes

this setting causes problems with google captcha - the number of challenges that you will need to solve will drastically increase (thorin: he is talking about RFP)

  • No kidding. I'm talking about ~30-40 clicks (1 click per task in the captcha grid)

not to mention when google puts you in captcha-hell-ban

I've had this happen frequently because my configuration really aggressively blocks this stuff. It's bad enough that I have a separate browser (Gnome Web aka Epiphany) just for logging into and using sites that have Captcha, like Pocket and Bandcamp, and I do everything else in Firefox


I installed uMatrix a while back to recover some anonymity and it worked at first, my Captcha load spiked significantly

^^ that's interesting. Maybe google is picking up on some blocking of services over that IP?


Google's captcha tests are my litmus paper test that what I'm doing is effective

^^ I hear ya


This is why I immediately close any page with google's captcha


Yeah I use multiple browsers. One that is completely locked down and one for CAPTCHA. The internet is hostile to anonymity


https://news.ycombinator.com/item?id=19623001 (sorry big quote coming)

The more websites use Google's "captcha", the more pointless it is to resist fingerprinting. And since that "captcha" is built into Cloudflare's "spam protection", it blocks you from half of the internet already.

Why the scare quotes? Because the purpose of recaptcha isn't to tell humans from bots, it's to punish users who do not wish to be tracked by giving them an endless stream of challenges to solve no matter if they keep getting them right or wrong. It is especially obvious when they intentionally delay the loading of subsequent images if you have too many privacy features enabled, because it does nothing to prevent bots from solving them. It's grouped into several tiers, depending on the amount of frustration they want to generate:

  1. Invisible captcha - you have Chrome, you're logged into a Google account, your advertising ID has a profile full of useful data. You go in with no hassle.

  2. 1 click - maybe you're on a new IP or a new device, but you're logged into a Google account and use Chrome. Click the checkbox and that's it.

  3. Regular captcha - You're not logged in but you don't use any privacy enhancements, so through a combination of fingerprinting, cookies, and other tracking techniques you're uniquely identified anyway. You get 9 images, select 2 or 3 of them and you're good to go.

  4. Annoying captcha - you're blocking third party cookies, you're not on Chrome, looks like you're not being a good cog in the machine. You get a captcha with 9 squares that load more images, or you have to "select squares containing X", and you get 2-5 of these in a row.

  5. Infuriating captcha - you're blocking third party trackers, cookies, all other storage methods, you block or mitigate canvas fingerprinting, you're behind a VPN, your fingerprint is not recognized, there's no data in your profile. Google won't squeeze a cent out of you, so you don't get to use the internet. You're getting an endless stream of slowly loading squares, or 5-7 objects to recognize. Even if you do all of them correctly, it won't let you in. Maybe after 4-8 cycles, but that will still waste ~10 minutes per try. You're barred from any website that links to reCaptcha.

These days websites using it are for all purposes dead to me. I can't visit them and I won't waste my time clicking their images or selecting squares or whatever.

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Apr 10, 2019

I think I'm around the infuriating captcha in Firefox (if I bothered to let it work), and annoying captcha on a secondary browser - i.e three times a year, so loads of time has passed so I get off "lightly"

At the end of the day, if you want to get some privacy (and you hunted down this user.js etc) you're going to have to block things that upset google.

My suggestion is that it is not worthwhile fighting it, just use a secondary profile with Firefox (or a portable Firefox of your choice) and configure your browsers to run concurrently, or a secondary browser - hell, go Chrome if it fits the bill - i.e add uBlock Origin, uBlock Origin Extra, and clear everything on close, and only use it for those few sites you have to. You might get 1 click captcha in that scenario. Captcha loves it when you're using a chrome browser.

Side note: you could try and use a user agent spoofer extension to always sent chrome UA to the relevant google services used by captcha? IDK.

@Thorin-Oakenpants
Copy link
Contributor

sorry, I jumped the gun. Re-opening. We should identify what prefs cause BREAKAGE - which is what you are getting - vs captcha hell, which while its intrinsically linked, is not what you were asking about.

IIRC, you originally had everything working except the extension "broke". What happens if you go back tot hat point and don't use the extension, but do a manual audio test? IDK how much testing and playing you've been doing, so you could already be flagged as semi-suspicious, but that shouldn't break anything.

@ghost
Copy link

ghost commented Apr 10, 2019

There must be a perfect selection of tweaks that puts us @ no. 2 or 3 for CAPTCHAS rather than the hell we're in atm?

Side note: you could try and use a user agent spoofer extension to always sent chrome UA to the relevant google services used by captcha? IDK.

Surely this can be done thru xyzMonkey? What is the URL for CAPTCHAs exactly?

I think more than a few of us would give up a few security preferences to fix this CAPTCHA solver addon, I can only get it to show the error message OP posted with Skip Redirect, Smart Referer and (potentially) uBlock turned off so there are options in there that are interfering with CAPTCHA for sure, just need to weed 'em out.

@Thorin-Oakenpants
Copy link
Contributor

What is the URL for CAPTCHAs exactly

You would want to allow everything in uBO and watch the logger. google.apis is one of them. It's not many - maybe three domains.

I'm not sure what UA spoofing extension would let you do NO spoofing except a whitelist. And since it would be global, no idea if it then causes breakage - e.g using google search or youtube - where search says you're on Firefox but the google.api says Chrome <-- dodgy.

It's almost as if you'd need to think about a strategy where all google services are blocked as third party, and then you selectively allow them (depending on what domains need to be spoofed to chrome). Might even be easier to use a google container extension and grab all the domains in it, and spoof all those.

And again, it was just a suggestion - it might work if set up properly, along with a couple of pref changes - it's just that compromising those prefs is too much IMO. It's just easier to use a secondary browser - but everyone has diff needs.

@ghost
Copy link

ghost commented Apr 10, 2019

False alarmx3 - my Clear URLS was giving me a "this page is not redirecting properly" error for Buster. Now the addon is enabled but shows the "automated traffic" error.

@stormsz
Copy link
Author

stormsz commented Apr 11, 2019

Hey sorry for leaving this topic without any kind of response for a long time, busy week.
anyway i just want to point out that i followed @Thorin-Oakenpants recommendation and i'm using this user.js to browse the web and another user.js when i need to solve captchas.

my general understanding of it is: google does not want us to get privacy, so they make everything in their power to bully us, long-ass captchas is just one of them. Once you start messing with privacy related settings things, captchas start to slow down, i think its by design.
In the end we can only do so much against an tech giant who controls the internet.
I will keep my eyes on this and yes i have been trying the recommended solutions.

also just food for thought: what if we go the other way around? just block/disable the dam thing all together(captchas) is clear that this user.js is not intended to work with it. Maybe creating an super anti-google bullcrap user.js would be better and it would not raise questions like this one since we can just say that, by default its suppose to NOT work with google captchas.

@crssi
Copy link

crssi commented Apr 11, 2019

@AMihail1
Its https://www.google.com/recaptcha/ and here is one test page https://patrickhlauke.github.io/recaptcha/ and here https://www.google.com/recaptcha/api2/demo

@ghost
Copy link

ghost commented Apr 11, 2019

@AMihail1
Its https://www.google.com/recaptcha/ and here is one test page https://patrickhlauke.github.io/recaptcha/ and here https://www.google.com/recaptcha/api2/demo

Interesting, on the very last link I was able to get the audio reCAPTCHA to play (without Buster installed) but after typing in the words it spat out the "automated traffic" message again.

@ghost
Copy link

ghost commented Apr 14, 2019

my general understanding of it is: google does not want us to get privacy, so they make everything in their power to bully us, long-ass captchas is just one of them. Once you start messing with privacy related settings things, captchas start to slow down, i think its by design.

Agreed it is by design, but I think it'd be possible to pin point the settings that are giving us the "automated traffic" error for sure.

@KOLANICH
Copy link

KOLANICH commented Apr 14, 2019

my general understanding of it is: google does not want us to get privacy, so they make everything in their power to bully us

It is not only Google who bullies us. The websites installing recaptcha do this too. Google here is like a mercenary, providing "free" service of bullying to the ones who wants the ones bullied by recaptcha to be bullied on their websites. See also #644 .

@atomGit
Copy link

atomGit commented Apr 15, 2019

well, i was in a good mood till i seen this mention of Gaagle - they and anyone else using that bloody captcha crap can burn in hell - anyway, i was fooling around with this myself and found that concealing window.name also causes a problem with this - figured i'd mention it if anyone cares

@Thorin-Oakenpants
Copy link
Contributor

windows.name script has an exception for captcha - https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.1-User-Scripts

Unless you're using the one in Canvas Blocker, which I think tells you or it already has, an exception for it as well.

@atomGit
Copy link

atomGit commented Apr 15, 2019

i was using the script from the wiki, which i see is all updated now, so i expect i'll start using CB again - thanks for the infos

@Thorin-Oakenpants
Copy link
Contributor

which i see is all updated now

the script hasn't changed since the author wrote it 142 years ago

@atomGit
Copy link

atomGit commented Apr 15, 2019

no, not the script, the advice - references to Canvas Blocker i mean

@Thorin-Oakenpants
Copy link
Contributor

Ahh OK .. that was only 97 years ago, so I'll let it slide :)

@Gitoffthelawn
Copy link

It's rather difficult to get me to rant, or to cuss, but this fucking Recaptcha shit needs to go away.

I clicked on the fucking traffic lights. I know I did. Yes, I clicked on all of them. Don't you fucking tell me I didn't. I know what a fucking traffic light looks like, and I know how to click on things. Google, don't fucking call me a liar or tell me I'm incompetent. I'm neither of those things. Clearly, Google, your head is up your ass, and you're just trying to waste my time. Fuck off.

OK, rant over. Thanks for letting me vent.

Here's how I currently handle Google's evil Recaptcha system: I don't spend any money whatsoever on any site that uses them. Period. Yes, I've left online shopping carts full of merchandise without finishing the transaction because of Google's Recaptcha. I've refused to sign up for services because of Recaptcha. It's just not worth the hassle. Sometimes I'll send an email to the CEO or CTO of the company that just lost a sale, and explain why. Sometimes, I won't bother. After all, they clearly don't respect my time or my values.

I previously used Buster to answer Recaptcha's for me. It worked perfectly most of the time. But something changed, and now I get the same error as the OP, @stormsz.

If we can figure out what causes Buster to fail, that will be helpful. If we can't, the internet is a big place and I'm willing to be somewhat content using the portion that is Recaptcha-free.

Oh, one more small rant: Fuck Google.

@ghost
Copy link

ghost commented Apr 17, 2019

Like I said before - I'd be willing to sacrifice some privacy/fingerprinting settings to fix recaptcha/Buster, I personally just don't know where to look. :/

@atomGit
Copy link

atomGit commented Apr 17, 2019

issue solved...

Here's how I currently handle Google's evil Recaptcha system: I don't spend any money whatsoever on any site that uses them.

my sentiments exactly, and i've done the same thing regarding abandoning full shopping carts because of that bullshit

@crssi
Copy link

crssi commented Apr 18, 2019

This one... when set to false, the audio works.

/* 2429 */ user_pref("dom.targetBlankNoOpener.enabled", true);

But it is not worth IMHO.

Cheers

@ghost
Copy link

ghost commented Apr 18, 2019

This one... when set to false, the audio works.

/* 2429 */ user_pref("dom.targetBlankNoOpener.enabled", true);

But it is not worth IMHO.

Cheers

Not for me, still seeing "Your computer or network may be sending automated queries. To protect our users, we can't process your request right now. For more details visit our help page" when trying to use audio captcha.

@crssi
Copy link

crssi commented Apr 18, 2019

For sure it is, but seems to be the combination of many.
Since I am relying to TC, I also do not use FPI... so that is privacy.firstparty.isolate = false.
And at the same time set dom.targetBlankNoOpener.enabled = false
I do also have dom.webaudio.enabled = true,

Cheers

@ghost
Copy link

ghost commented Apr 18, 2019

For sure it is, but seems to be the combination of many.
Since I am relying to TC, I also do not use FPI... so that is privacy.firstparty.isolate = false.
And at the same time set dom.targetBlankNoOpener.enabled = false
I do also have dom.webaudio.enabled = true,

Cheers

Confirmed working with these settings toggled.

Make sure CanvasBlocker isn't protecting window.name/opener either as these seem directly related to the "automated traffic" error reCAPTCHA is spitting out!

EDIT: not sure if user_pref("privacy.firstparty.isolate.restrict_opener_access", false); might play a part too.

@crssi
Copy link

crssi commented Apr 18, 2019

Make sure CanvasBlocker isn't protecting window.name/opener either as these seem directly related to the "automated traffic" error reCAPTCHA is spitting out!

For sure it is, since its very similar to dom.targetBlankNoOpener.enabled = true

@Gitoffthelawn
Copy link

I tried:

For sure it is, but seems to be the combination of many.
Since I am relying to TC, I also do not use FPI... so that is privacy.firstparty.isolate = false.
And at the same time set dom.targetBlankNoOpener.enabled = false
I do also have dom.webaudio.enabled = true,

But it still results in the previously posted Recaptcha error.

@crssi
Copy link

crssi commented Apr 18, 2019

Funny, I had working solutions... didn't change a thing, didn't even close the page, since I left computer for that time... now a few hours later it doesn't work anymore.

UPDATE:
Tried with plain vanilla profile... it doesn't work. Tried all bunch of different browsers... it doesn't work.
Obviously we have been "banned" somehow, even changing IP doesn't help.

@Gitoffthelawn
Copy link

@crssi Maybe Google is watching us here and is fucking with us. 😈 LOL.

Right now, when I try solving Recaptcha's using Buster, they time out. No error, but after 1-2 minutes they time-out and the big Recatpcha checkbox turns red.

Just got your update... I wonder what's going on.

@ghost
Copy link

ghost commented Apr 19, 2019

@crssi Maybe Google is watching us here and is fucking with us. 😈 LOL.

Right now, when I try solving Recaptcha's using Buster, they time out. No error, but after 1-2 minutes they time-out and the big Recatpcha checkbox turns red.

Just got your update... I wonder what's going on.

What extra extensions are you running?

@Thorin-Oakenpants
Copy link
Contributor

I know OP was about audio & buster, but since this is all linked anyway

Just have a gander at https://github.com/google/recaptcha/search?q=firefox&type=Issues

  • https://github.com/google/recaptcha/issues/296 : 3rd party cookies being disabled seems to cause an endless loop

That's the first thing I came across. So besides not blocking the domains required, I would suggest that they also be allowed to set 3rd party cookies. I didn't read past the first sentence, and one day if I ever get time, I could test in a vanilla profile and inspect all connections and persistent data. FPI I don't think would break this, at all - it would just mean that you will get asked for a captcha on every domain, rather than just be presented with a checkbox (because it can't access the info it stored from previous captchas). And of course by clearing all data on close all the time, every new session, you start afresh.

Also, I never checked: but the buster extension: what exactly is it using? speech synthesis? the pref media.webspeech.synth.enabled is inactive as part of RFP ALTs, and although OP tested (kinda: once you're in captcha hell you're fucked), RFP does reduce FP'ing in the WebSpeech API. So that could be why the extension went into a google loop

@Thorin-Oakenpants
Copy link
Contributor

Another issue to consider is the RFP also mitigates timing attacks, and rounds to 100ms. I'm do not know if recpatcha monitors mouse movements and timing to determine if you're a human. With everything being in 100 steps, that's suspicious of bot activity. However, I have seen no bugzillas that support that RFP causes recaptcha 2 to break (only the new recaptcha 3)

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Apr 20, 2019

bit of a read here: https://github.com/ecthros/uncaptcha2 no doubt that's how buster is designed to work

https://github.com/google/recaptcha/issues/268#issuecomment-482328378 - reading this comment, I wonder if there have been changes at google's end, especially since buster came out (and the uncaptcha2 stuff etc). Did anyone bother to check buster's repo and/or comments on AMO etc?

@Thorin-Oakenpants
Copy link
Contributor

I think the key here to recapcha is:

  • allow the relevant cookies, includng 3rd party. the user.js blocks 3rd party cookies, so you need to set an exception for them

This should then allow it to work (the picture clicking etc). However, RFP does cause issues, especially slow fading pictures etc - but it shouldn't break recaptcha. FPI shouldn't break it either.

I also have to ask - just WTF is it all you guys do on the internet that you get recaptchas? I never ever see em or need em (except the occasional sign up, like 3 times a year)

@Atavic
Copy link

Atavic commented Apr 20, 2019

Many blog comments have it.

@ghost
Copy link

ghost commented Apr 21, 2019

I think the key here to recapcha is:

* allow the relevant cookies, includng 3rd party. the user.js blocks 3rd party cookies, so you need to set an exception for them

Any quick fix for noobs here? What do I need to allow thru uBlock exactly?

In saying that, I doI have Buster confirmed working as per those settings we shared up there! ^

@Thorin-Oakenpants
Copy link
Contributor

as per those settings we shared up there

What settings? Can you list them for me, so I can make it official and a FYI label

@ghost
Copy link

ghost commented Apr 22, 2019

as per those settings we shared up there

What settings? Can you list them for me, so I can make it official and a FYI label

It's a pretty big workaround, but as far as I understand you need:

privacy.resistFingerprinting - false
privacy.firstparty.isolate.restrict_opener_access - false
privacy.firstparty.isolate - false
dom.targetBlankNoOpener.enabled - false
dom.webaudio.enabled - true

and google.com/recaptcha & gstatic.com/recaptcha 3rd party stuff whitelisted in uBlock, CanvasBlocker and Privacy-Oriented Origin Policy. I can confirm Buster automatically solving captchas with this setup.

@Thorin-Oakenpants
Copy link
Contributor

well f#ck me ... that's a whole lot of stuff to give up because of google .. and don't forget to make things work better/faster it probably needs 3rd party cookies, and also it requires that you don't fuck with windows.name

@ghost
Copy link

ghost commented Apr 22, 2019

well f#ck me ... that's a whole lot of stuff to give up because of google .. and don't forget to make things work better/faster it probably needs 3rd party cookies, and also it requires that you don't fuck with windows.name

I feel like if we're using Cookie AutoDeleter the 3rd party stuff gets sanitized on tab close?

EDIT: I might be losing my mind but another variable seems to be how you move your mouse on the captcha tile page ...

@Atavic
Copy link

Atavic commented Apr 22, 2019

Use another profile or just install another browser.

@zdat
Copy link

zdat commented Jan 19, 2020

Just tried to add Buster to my arsenal and came across the same issues.

The solution is definitely way too much to give up for me.

Luckily when storing cookies for a site, you wont have to solve a captcha more than once (because you're already logged in). However there's a couple of sites I've come across that make you solve a captcha every time to allow you access to the page.

Also there's some sites that refuse to keep me logged in despite storing cookies for them, but that's a separate problem I'll have to look into.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

8 participants