ReCaptcha V3 - beta bypass method.

Mark Miller

2Captcha Engineer
#1
Please note that ReCaptcha V3 method is still in development mode. Algorithms and API methods can be changed.

Recently we started to test ReCaptcha V3 bypass methods and it even works slightly.

As you already noticed ReCaptcha V3 doesn't ask the user to pass any challenge, but just returns to the website a score - some kind of quality rank of a user who passed the captcha. And the rank should be different for various websites. The score is a number between 0.1 and 0.9.

We made a set of experiments and noticed that if user has a score 0.1 on any website then in most cases (about 90%) he will get the same score on any other website.


How our method works:
When you submit us a captcha we distribute it to a random worker on your target website and on our website. Worker gets two tokens google. We check the token for our website and if the score is good enough we guess that token for your target website is good too and we return it to you. We can't guarantee that you will get a good token but we guess that in most cases you will.


How to try:
API is almost the same as ReCaptcha V2, but there are few additional parameters:
version=v3 - tells us that it's ReCaptcha V3
min_score=0.5 - minimal score value required. If you set it to 0.1 you will then get the token almost immediately, if you set it to get 0.5 you got to wait for the token for some time, but it's almost impossible to get a token with score of 0.9 so you advised not to set it that high.
action=verify - optional parameter, the name of action from target website, action is provided as a parameter of grecaptcha.execute function on the website

Request example:
Code:
http://2captcha.com/in.php?key=APIKEY&method=userrecaptcha&googlekey=googlekey&pageurl=https://site.com/page.html&version=v3&action=verify&min_score=0.5

Pricing:
During the testing the price is the same as for ReCaptcha V2: $2.99 per 1000.


Refund for invalid tokens:
It's quite complex. In case of normal image captcha we can solve it again and check the answer provided by the worker. That's not possible for tokens.
In case of ReCaptcha V2 we can analize the statistics of good and bad tokens per worker to indentify bad workers ban them and return funds for their answers.
But ReCaptcha V3 can return different score for the same worker on different websites - on one website he can get 0.1 and on another one 0.5 at the same time.

What do we suggest:
As an addition for standard method to report invalid answers: reportbad we add a new one - reportgood.
When you report a good answer we add the worker who provided the token into a whitelist for your account and this worker will get your captchas first.
In future we are planning to return funds for invalid tokens but only in case if you report good tokens too.

Feel free to post your question and suggestion on that matter in thread comments!