Some one on github wrote a hCaptcha solver in 1 screen of code that worked in 2018-2020??? but I never tried it myself. 1 out of 20 or 1 out of 100 100% random click patterns always succeed with hCaptcha. With basic automation, and no AI, 20 to 40 POST requests later you win. CF revised their hCaptcha bot challenge in fall 2020 to always include a JS challenge/wait 5 seconds heavily obfuscated/encrypted massive JS blob, and CF doesn’t use the hCaptcha service standalone unless its new accounts/login window.
Furthermore, we submitted the same num-
ber of challenges using Selenium WebDriver for Firefox
as well. Selenium is the most popular web automation
software. We analyzed the results for each experimental
setting to identify any discrepancies among these different
settings. However, we did not notice any distinct pattern
that can distinguish the settings. For example, we came
across the same nine image categories, achieved similar
accuracy (over 90%) in all experimental settings. Further,
none of the requests were blocked in any of the experimental
settings. Our analysis indicates that hCaptcha solely relies
on correct image selections to verify a solution without
adapting challenges based on users’ threat levels.
That is correct, if you poke around hCaptcha’s JS code, there are no attempts detect a headless browser other than touch/mouse x,y coords included with the POST req. hCaptcha was written to be as lightweight on CF/HC servers, and lightweight on clients, Pentium Classic or Pentium II lightweight. hCaptcha’s server side API I think also lets the dev get the client’s IP in JSON, or pass the client’s IP to hCaptcha to use in a “bot score”. Anti-mechanical turk.
recaptcha is maximum AI resistant, sepia colored traffic light picking (Autonomous vehicle training/street view), but recaptcha has a “as designed, bounty rejected” flaw as big as hcaptcha. Just login into your google account, recaptcha will always 100% 1 click pass
Make a couple gmail accounts, my oh my, recaptcha let through all the bots (you still probably need a legit Chrome/FF process, since recaptcha does a JS challenge near identical to CF’s JS challenge).
For dec 20-feb 21 I found WAF hcaptcha impossible to solve, there was a minimum time between clicks, if you solve it accurate in less than 15 seconds you failed always. March 2021, its back to summer 2020 easyness. hcaptcha always lets through 1 or 2 bad tiles, and some of their images are truly never know if its windshield of a boat or a truck. hcaptcha has a google accounts style “login” feature, give hcaptcha your email address, verify its real, you get 10 free image solves an hour (or a day) if you really are handicapped. hcaptcha hadicapped cookie and CF WAF (403/429) always fails. Not that easy
CF/HC always said the handicapped feature isn’t an exploit, it is as designed, after a japanese blogger wrote it up as an exploit. recaptcha’s audio challenges were broke far more easily by FOSS AI or I think they used IBM SaaS audio transcription library. NYTimes squiggly text was also broken as many of images were presented to users with no history decoded text (any string passes). The google dashcam captchas have never been broken since no machine vision/autonomous vehicle software companies will never rent/sell their source code to any non-auto industry customer. If someone wants to correct this history article, feel free.