Common reason of failure of ReCaptcha token submission:
token timed out - each token is valid during 120 seconds after passing the challenge, so you have at least 100-110 seconds after getting it from the API to submit it;
website uses callback for ReCaptcha and you don't call it correctly;
website uses some kind of additional protection and you have to find a way to override it.
Starting from July few clients independently of each other complained that a part of ReCaptcha tokens were not accepted by websites where they bypass ReCaptcha. We performed a set of experiments and found that during the verification of tokens ReCaptcha API returns the error:
Not only our service is affected by this problem, but also real people who pass ReCaptcha on websites manually - the website doesn’t accept the solution when the challenge is completed.
There’s no description of incorrect-captcha-sol error in ReCaptcha API documentation. We don’t really know the root of this error, but we found some dependencies.
Potential causes of incorrect-captcha-sol error
As we observed main causes of incorrect-captcha-sol error are:
Bad IP address
Looks like ReCaptcha has some kind of rating for each IP address. If you pass ReCaptcha few times a day (not more than 50) and do that without errors then your IP is good.
But if you make many errors during the challenge, close the challenge without finishing it or pass more than two challenges per minute then your IP is banned and you receive tokens that are resulting in incorrect-captcha-sol during the verification through API.
Also Google has some kind of rating for all users. When you visit google.com or pages with ReCaptcha you receive cookies. Google analyses your online actions and estimates are you looking a a real human or a robot.
So if a user with a set of cookies passes lots of ReCaptcha challenges per day, even if it’s made from different IP addresses, then it’s a robot a and even if challenge is passed and user gets a green checkbox from ReCaptcha during the verification of token API returns incorrect-captcha-sol.
The devil of it is that if you log into your Google account all your recent actions will be associated with your account. And if in the past Google decided that you are robot then in most cases (about 75%) your ReCaptcha solutions will be declined.
How do we avoid incorrect-captcha-sol
To decrease the number of bad tokens returned by our service we regularly reset cookies in worker’s applications and also measure the quality of IP addresses of workers.
A part of our workers have bad IP addresses and tokens returned by ReCaptcha API are declined with incorrect-captcha-sol error during the verification. To avoid returning bad tokens we distribute test captchas to each unique IP every hour and if we receive incorrect-captcha-sol then we stop to distribute captchas to this IP address and users with this IP address receive only captchas with proxy. And of course we check proxies regularly too.
Finally we decrease the number of bad tokens to 1-3%. But unfortunately days when we guaranteed 100% of valid ReCaptcha answers are gone.
Refund for incorrect tokens
In July we enabled reportbad method for ReCaptcha. Now you can cut costs and automatically inform us that token didn’t pass the verification. More info on that method you can find in our API guide.
We collect the statistics and every hour return funds for tokens returned by workers with bad IP/cookies.
I can’t pass the challenge manually. What to do?
Unfortunately lots of people faced a problem with websites protected by ReCaptcha, they can’t log in or register even if they pass the challenge. In our next publications we’ll tell about that. Keep in touch!