How does 2captcha solve the captcha and the token is still valid for the user?

Artem

New member
#1
INTRODUCTION
I'm trying to make an API that solves RECAPTCHAs, but the token is only valid once and only for two minutes since generated, as explained here official documentation recaptcha. So my question is the following: how are CAPTCHA solvers like 2captcha able to solve the captcha, get the token and then send it to you, and you are still able to use it?

WHAT I DO
Here are the steps I follow:

  1. I solve a RECAPTCHA on the following site recaptcha demo
  2. I get the token, for example 03AGdBq26i2ugKCS8sJVpYZqnHnQgqTr2vM_lmZF3XuinqdmD-bP9WbnxSF8R7zOiMvVwKQiOonrJVApECHGz2VAurRGQLIM5W7Jb6kl60-x-_F1Krk8HrXkGcS4WirrLQtBHpoi2wZB0HQ_Ok-2X2uOU5zUXc9xLO5QVWyp8TSx2RJCfT4flmfVk1NMPEHTWHCCHUAIicewKiZPokmmd2tnLamlo57FKpX1Fp2apad_pSsmlrphWC8O6tQGxkAjU_trEdg0xRTsmbRD3AkCuqdgqkxQFTsIYeqISkaXqc71HWy-L3AmK1hL8T6LZ3pLDfOyGDhyafSNMGqO5zePaAJMf7yvFnTlTlYe-fLwc3VXUkNQ67ML39hzXD2beW38aPLxtt7EovVFHmIBIbsAMAsR9qpQxqtPofTObj_5-oAwfQKuoO-rUg8ODCqLoORhqVQ_bkffvMHQWxXSLX7KtQ1tqpimD4tXFAz_3R_nX12UX_ngb27jBPKgpfkET4FcOFFSSWgr1PIpsAW_97QcYOTHc3tlziuiWL5Okim_7lFkZxBINK1H0pDUA
  3. I insert the token in another captcha on another browser, but on the same site recaptcha demo
  4. I get the following error
    Code:
    POST data array ( 'ex-a' => 'foo', 'ex-b' => 'bar', 'g-recaptcha-response' => '03AGdBq246H-d9zX9ORfE9Zwo7kUKQc50pm7qCKrjuguuU2RXUvRYyxitgIEtNpuTSZqzMAGAYPMpTMRy-NMeftr0zpT3fdaBmVzM8hhGxJ_RxoCpJ-aHSyTdudVHZPYFPAmDftU8WqBApcIA7SLETGMWfKcvy0sugs48J7-CBbryPg4Ckd-tOQnP5pvyfu5ehhIkav4jaaGj6ToXSsVCa35iPy78csRYyXiexgaeyv-bLaCDaGpfb9RXwu2Xmkrlb7fiW-wbRTiYMOWAPm3mu1sMFIBQ9OULD9TxjJS_Gm8QI0S-1UXutya3z-IUPf_KydAXzpkLYStO0hz8wbGlWQ_5OlSuL0EsCCf87broPdVXvwil5U-BFIi55vSgdZ5bHDeYobBxEdV-RcvEYLK3hh19zyomWr3o-VaiS0_5TRVhYY74z1gNA3UpRvLDkLP50Nvbc-roKAps10NhrTQfoMedxMkgaMuwd6Y7zToFhBlT128b6Vir8zNWFucoB5mSdI0OpazuKT0okfln6Otx70NOQUkOxFqkEEsoJtYxxvwPSeOYq39dAqY5rfs8xkZ6ivgZEZDflUpYS', ) Something went wrong ReCaptcha\Response::__set_state(array( 'success' => false, 'errorCodes' => array ( 0 => 'timeout-or-duplicate', 1 => 'hostname-mismatch', ), 'hostname' => NULL, 'challengeTs' => NULL, 'apkPackageName' => NULL, 'score' => NULL, 'action' => NULL, )) Check the error code reference at https://developers.google.com/recaptcha/docs/verify#error-code-reference.
That means that the token has already been used once, as explained in official documentation recaptcha.

COMMENTS, OBSERVATIONS
  • So it must be that services like 2captcha can solve the RECAPTCHA without really submitting it, so the token doesn't get used
  • I tried to sniff the http traffic while solving manually a RECAPTCHA in the site recaptcha demo (using fiddler). I was surprised I didn't see http traffic with the gcaptcha response (or token) a part from the POST request that I sent to the site. Is the gcaptcha response maybe created in the pc client-side (like in my pc)?
  • If you want more details regarding the steps to solve the RECAPTCHA and to pass the token to the other browser, see my answer where I describe everything under the steps headline.