How Google's reCAPTCHA v3 works - javascript

Google has rolled out reCAPTCHA v3. It does away with all the user friction. I wish to use it to secure my site. However, I am unsure about how this is going to protect my site. What if a hacker spams the URLs on my site with an external tool without using the interface I provide? How is reCAPTCHA v3 going to stop that?

How is reCAPTCHA v3 going to stop [Spam] ?
There are various heuristics which can be used to detect automated systems, such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, among many others. Google seems to use some of them. If uncertain, a challenge gets shown.
What if a hacker spams the URLs on my site with an external tool without using the interface I provide?
Google generates a token for the client when they pass the checks which you have to validate on the serverside. If someone doesn't pass the CAPTCHA (a robot), they do not have a token.

In addition to the user behavior tracking on your site (as explained by Jonas Wilms), the v3 (and v2) also makes decisions based on your IP, ASN, browser and any kind of information about your system based on the information sent via your HTTP request.
The only difference is that V2 is a complete solution i.e, if it thinks a user may be a bot, it will pose additional challenges until it is convinced the user is a human. On the other hand, V3 is non-intrusive. It generates a score based on the parameters discussed above and passes it onto you. It is then your decision to take appropriate steps (like post challenges, or have two-factor authentication, etc.) based on this score.
IMO, it is better to start with a V2 solution and implement V3 if you want more control or have a better way to challenge the user if they have a low score.
(Here is an interesting article on the differences)

In few simple words google tracks your whole cursor and keyboard movement from moving mouse to select form fields to pressing tab to change fields.
To verify reCAPTCHA is working or not --> Submit a form and then
click refresh; it would ask for re-submission. Click continue. But as
this is a way much similar to Robot activity of submitting a form without any cursor of keyboard movements, reCAPTCHA will prevent
form submission or any other stuff from happenning.

Related

Is there any way to skip the Google Captcha in Protractor?

I am trying to automate the Registration screen of my Angular app but I am not able to view the Submit button due to Google Captcha. Is there any method to skip the Google Captcha and proceed to click on the Submit button in Protractor? I tried using switching the frames but it didn't work out. Please help
CAPTCHAs (or Completely Automated Public Turing tests to tell Computers and Humans Apart) are designed to be a gate that lets humans through and robots (programs) out.
For reCAPTCHA v2 the story is a little different. You’re still engaging in the same 2-step process as above but you’re sending different data. In this case you need to send the reCAPTCHA sitekey which can be found on the containing , regardless of whether or not the iframe has loaded.
The response you get is a token that needs to be submitted alongside the form and needs to be entered into a hidden text field with the ID of g-recaptcha-response
TL;DR, you can't really bypass CAPTCHAs (that is basically the idea of them)

CasperJS: Amazon infinite Captcha Login

I am using Casperjs to Login in my Amazon Account and retrieve some data.
But once in a while I get Captchas on the login. So casperjs display to me the captcha and I manually return the solution so it can submit the form.
The problem is that CasperJS gets immediately another captcha, this time it's more difficult. I resolve this too, but another captcha appears... and so on indefinitely...
I don't do anything special, just some casperjs fill and click.
Casperjs loads in the page an external js file with the captcha solution, and then submit.
I am sure that the right captcha is submited.
How can Amazon be so sure to trap me in an infinite loop?
Consider how it looks from their point of view. They can tell a robot is accessing your account based on mouse and keyboard interactions. A human will scan the page and move their mouse randomly while searching for the login buttons. Your script jumps directly to clicking the selector.
When a captcha appears, you fill it in. This does not prove you are a human. This simply proves that your robot can alert you to a captcha for a human to fill in. The rest of the interactions are all done by a robot, and Amazon is fully aware of this. You can answer as many captchas as you like, but the interactions to get this far are still going to be flagged as a robot.
You may want to go down a different route, like having a cookie to start a CasperJS session with your account already logged in. Alternatively, does Amazon provide any sort of API to pull out the value you're interested in?
They're blocking your robot out of geniune love and concern, if that makes you feel any better!
Unfortunately this is not an exact science, so probably there is no such thing as a general, durable solution. Amazon.com uses different techniques to check if you are a robot, including browser fingerprinting, cookie challenges and user behavior profiling (mouse movements and so on).
I would try first to randomize some part of the user agent, only to see if that works. And I would also try a full headless browser like Chromium, using Selenium to allow the script to talk with it.
Can I ask how frequently are you trying to crawl your account? I think it shouldn't be a big deal if you are doing that one a day or so.

Can I associate a user's account with an action to the drive API?

We're looking to make a little webapp to manage our week-long nerf war (humans vs zombies to be precise), and we're thinking about how easy it would be to have Google Sheets be our only backend, and our frontend be entirely javascript/html/css.
Let's say there's two actions that can be done in this javascript:
Register, which adds a row to a certain sheet.
Report tag, which adds a row to another sheet.
Let's say we have 100 players. We'll have each player sign in using a google account. Is there a way that for either of those above actions, we can have sheets know who made that action?
This way, if someone gets hold of the API key and spoofs their referer to make bad requests, then we can know which google account did it and ban them from the game.
For example, if I open up my sheet and say "see revision history", I want to not see one user for all the revisions, I want to see the user who triggered the action.
Is this a reasonable approach, and is it possible? Thanks!
(note: i know these two actions can be done via google forms, which can associate the user's account, but imagine we have more complex actions that cant be achieved with just a google form)
The short answer is no. You'll be using the spreadsheets API (NOT the Drive API) to update the sheet.As far as Google is concerned, the "user" is your application, regardless of which human was driving the application at the time. Your application knows who the human is, and so it is responsible for logging any audit info that your use case may require.

Using Facebook, Twitter, Google conversion pixels when linking to external site

I'm working on a site where conversions involve sending users to Eventbrite pages, where the users can make a purchase. I am using Facebook, Twitter, and Google ads, but they seem to require my site having a second page with a conversion pixel to track conversions. Since my homepage is sending the user to Eventbrite, where I can't add the pixel since I cannot adjust the pages' code, I am having a hard time figuring out the best way to use a pixel to track conversions. Any help with how to do this would be very appreciated.
I wrote to Eventbrite to ask them this very question, and got the unhappy answer:
"Unfortunately, we currently are not offering the ability to use
conversion pixels on event pages. The closest thing we have would be
using Google Analytics on your event pages."
As I use infusionsoft, I am looking into replacing Eventbrite with a plugin like: http://marketplace.infusionsoft.com/app/dynamicsync which has the App for attendance, the Wordpress plugin for sales, and automatically connects to my CRM, so I don't need to create Zapier Zap for every event I create.
Considering I pay Eventbrite an average of $100 per event in fees, I think the $20 per month is worth it for this type of software, that means I can control the HTML on the pages, and keep people inside my website. I might just have to get HTTPS certs' on my website, or add online purchasing to my system, which apparently Infusionsoft can do, just haven't harnessed that yet.
EventBrite has since added Pixel ID's for Twitter, Adwords and Google Analytics.You can go to 'Manage Event' and scroll down to Tracking Pixel under Analyze.
Unfortunately they don't provide a Facebook Tracking Pixel support by default. The closest thing I have come to is using the Order Confirmation page to insert the pixel JS.

Use Google Analytics custom events for feedback form

I was thinking of having a simple feedback form in my website.
It would be something like:
Your Feedback will help us improve.
[ ]
and then a textfield/textarea where the user can type (let's say) up to 100 characters of feedback.
Rather than handling it all myself on the server-side I was thinking to use Google Analytics (since my site is already wireup) and every time a user writes a comment, send a custom event to google analytics.
I think it might work.
Can people suggest a better approach or point out any problem with this idea?
There are a few problems with this.
First of all, it's against the Google Analytics Terms of Service to pass personally identifiable information to Google Analytics (#7). So, if you were to want to collect their feedback, you legally could not collect their name or email address without risking your account getting shutdown by Google.
Second, this is not at all what Google Analytics is for; its for collecting aggregate traffic and site interaction data. There's no easy-to-use interface for viewing long-form text information; I'm not even sure how you'd view event information thats longer than a few words.
Finally, Google Analytics sends its information in URLs, and there are size limitations to URLs (in Internet Explorer), and so Google Analytics will be default truncate any request with more than 2048 characters, meaning that your data will not collect accurately for longer feedback forms. (EDIT: Google Analytics recently raised this cap to 8096, by configuring the requests to use POST when >2048 characters.)
There are lots of free and easy to use data and form collection tools. Google Docs, for example, connected with Google Forms, can collect this data for you with ease. Then there's Wufoo, SurveyMonkey, UserVoice...I could go on forever.
Don't use Google Analytics for this. It's a bad idea with no upside.
Google Analytics events weren't made for gathering user feedback. Aside from the impracticalities of using the analytics console to view feedback, GA uses JSON to pass event information (which has size restrictions).
Why not try out uservoice.com or suggestionbox.com?

Categories

Resources