From previous recaptcha discussion[1] it seems like the going rate for solving recaptcha's is $2 for 1000 solved, or as low as $1/1000. This method would actually be more expensive than that at $6/1000[2]
Similar to my other comment, as a normal user, I'd happily pay 1/10th a cent (as long as it went to the grey market, and not the website or google) to bypass a recaptcha.
That incentive only works if a website's primary captcha use case is spam avoidance. Most websites that use captchas have a vested interest in preventing you from being able to bypass them by tossing money around. Paying to remove captchas is fundamentally unlike similar proposals (like paying to remove advertisements) that are designed to make innocuous users' lives easier because captchas aren't solely designed to prevent spam, nor are they designed as a passive revenue stream.
For example, one common use of a captcha is, essentially, rate-limiting in a non-spam prevention context. It's arguable that rate-limiting should be implemented differently, but captchas are actually fairly effective for rate-limiting regardless. Websites that feature things like gift card numbers typically put captchas on lookups and validations to prevent people from simply brute-forcing them (especially if they do not use gift card pins). In scenarios like that, you don't want spammers to be able to bypass captchas, but if they fundamentally can, at least it costs them money.
On the other hand, explicitly supporting captcha avoidance as a revenue stream, however, presents malicious users with the same opportunity that parents get if you offer to fine them for being late to pick up their children from daycare. You've just implicitly given them a choice that was not really allowed before, and they'll happily pay you directly instead of the shady API they have to use to get rid of the captcha.
So to sum up - captchas aren't fun, but in principle you really don't want there to be a consistent method for cheaply bypassing them (whether grey market or officially supported) if the expected value of doing so is significantly higher than the cost.
Funny you mention Google. If you keep logged in to Google (yes, yes I know but for me its the lesser of two evils) you'll only occasionally need to tick a "I'm not a robot" box instead of doing a full captcha.
When I was at Yahoo we had a HackDay where there was one team that used Flickr data to make a captcha that asked for tags for an image it displayed. Another team used Flickr data to look at images and automatically tag them...
Wow. I want this as a browser plugin. The image recaptchas are extremely time consuming (maybe I click the wrong images, or they're just punishing me for logging out and clearing cookies...), and I don't want to futz with the audio ones.
Yeah, it's really brutal. I find the new recaptchas which I hit almost every time are much more exhausting than the old text-based ones, and probably much easier for a machine to solve to boot.
The worst are the questions like "Click the images with a store front" what the hell is a store front? Especially in today's world.. Is a garage a store front? Is a hot dog stand a store front? Same with like "Click the images with cars" but there's a crossover. Is that a car? Is a station wagon a car?
I've found it's best to just not think about it too much. CAPTCHAs are, after all, designed to "tell Computers and Humans Apart". You're a human, so just pick whatever seems reasonable and move on. If the system doesn't accept your answer, that's _its_ fault, not yours.
I've gotten several times the one asking for "tea", that requires you to select three pictures of coffee[1]. With the store fronts, at least I can read what they say. They are often in Spanish, for one reason.
So humans have to clear higher and higher hurdles to prove themselves human while the computers use the answers from the captchas to get closer to humans' capabilities.
I was meaning to use the idiom "to boot", you cut off a word.
Perhaps my grammar wasn't correct there though.
In any case, check out the blackhat presentation about using Google's image recognition to solve the image based captchas. There are a wide variety of fairly advanced image recognition tools but a surprisingly small number of complex text recognition ones.
It's not you. They simply don't fucking work anymore. I'd pay for this as a browser plugin because clearly Google at some point stopped testing to actually see if recaptcha actually works. It doesn't, though it used to. Sites that use recaptcha are broken and if I do contact them for other reasons, I make sure to let them know that the site is inaccessible to a large part of their audience. Ironically, that includes part of Google itself ...
I get a recaptcha every time I log into hilton to book a hotel room for a trip. That's the only site this happens on; I wonder what I'm doing to trigger it.
Sites get to set the captcha security. There's 3 tiers. The highest one will always bug the user, the lower one will almost never do it (unless it's a specific flagged IP). Default is somewhere in the middle, but I'm guessing that site has it set to the highest.
The person you're replying to has a different issue. The way the one button captcha works is by using your cookies to try to figure out if you're a real human user or a robot. If you clear your cookies, you'll almost always get the captcha.
Is this a PoC bug bounty type of deal, or "here's a neat tool that can beat reCaptcha" type of deal? Seeing a bunch of comments about wanting a browser plugin that exploits this, but I'm wondering if that would be legal or not after reading (from HN several weeks ago) about the ticket scalpers who automated TicketMaster's site and were charged with fraud. The case isn't exactly analogous, but it's close enough to make me wonder.
They did, indeed, get charged with wire fraud, and entered guilty pleas[1].
The EFF and others were pretty dismayed with this, and felt it should have been a civil, and not criminal matter.
Since that time, Congress also passed a "Bots Law" that specifically spells out gaming online tickets as "treated as unfair or deceptive acts or practices under the Federal Trade Commission Act." [2] I suspect this opens a door for larger fines as well.
Maybe they should have dubbed this ReNotBreakCaptcha?
> I’ve testing in 3 examples, and none had the correct answer: first one only detected 3 out of 6 numbers, the seconds had 10 digits, one of them wrong, and the third couldn’t recognise.
> Also, it seams that google implement a max number of retries for audio challenge."
this is not a captcha replacement at all. the constraint on proof of work functions is that they are compatible with mobile users which puts an upper bound on the approach.
custom work (even in the presence of scrambled approaches) and servers instead of mobiles both make this approach problematic.
But, it is not exploitable - when Google identified high volvume attacks, the voice captcha is changed into a more complex voice which cannot be identified via this tool.
1. https://news.ycombinator.com/item?id=11453697
2. https://cloud.google.com/speech/pricing