hCaptcha allowing **every** image as a correct answer

I have enabled hCaptcha protection on one of my sub-domains and so far no matter what the captcha is telling a user to identify, users are able to click on any image and gain access to my sub-domain including images that aren’t even what the captcha is asking you to identify.

For example if hCaptcha was asking a user to identify images including trains, if a user were to click on every image that is NOT a train the user would still be granted access to my sub-domain… I was able to re-produce this issue EVERY single attempt I made, not once, not twice, I tested this about 10 times (even on different devices) and was able to gain entry to my sub-domain without clicking the correct images.

I fail to see how this is actually preventing bots from accessing my site if users are able to gain access like this. Can this be fixed anytime soon? is it an issue with my site? Or?

If you’d like to do your own tests with my sub-domain here’s the url: https://verify.faded.pw/

Not for me. After many failures, I had to get it all correct before it let me in.

I always thought that Captcha was trying to stop bots, but not necessarily trying to determine if you were human. Getting the correct answer was only one element of that test , with the side benefit of having millions of humans do some useful task like image categorisation. It might be that just the added delay and computational power needed is enough to stop most bots, and that your interaction with the mouse etc. is enough to say “mostly human”.

2 Likes

:flushed: I guess I failed that test.

I was just able to pass a captcha without actually selecting any correct images on my phone, so it seems it’s correct what @michael said.
Would be nice if hCaptcha had some kind of sensitivity/secure preference option like reCaptcha has, but I have no idea how such a thing would actually be implemented.

This topic was automatically closed after 30 days. New replies are no longer allowed.