ReCaptcha V3 - beta bypass method.

Mark Miller

2Captcha Engineer
Staff member
Please note that ReCaptcha V3 method is still in development mode. Algorithms and API methods can be changed.

Recently we started to test ReCaptcha V3 bypass methods and it even works slightly.

As you already noticed ReCaptcha V3 doesn't ask the user to pass any challenge, but just returns to the website a score - some kind of quality rank of a user who passed the captcha. And the rank should be different for various websites. The score is a number between 0.1 and 0.9.

We made a set of experiments and noticed that if user has a score 0.1 on any website then in most cases (about 90%) he will get the same score on any other website.


How our method works:
When you submit us a captcha we distribute it to a random worker on your target website and on our website. Worker gets two tokens google. We check the token for our website and if the score is good enough we guess that token for your target website is good too and we return it to you. We can't guarantee that you will get a good token but we guess that in most cases you will.


How to try:
API is almost the same as ReCaptcha V2, but there are few additional parameters:
version=v3 - tells us that it's ReCaptcha V3
min_score=0.5 - minimal score value required. If you set it to 0.1 you will then get the token almost immediately, if you set it to get 0.5 you got to wait for the token for some time, but it's almost impossible to get a token with score of 0.9 so you advised not to set it that high.
action=verify - optional parameter, the name of action from target website, action is provided as a parameter of grecaptcha.execute function on the website

Request example:
Code:
http://2captcha.com/in.php?key=APIKEY&method=userrecaptcha&googlekey=googlekey&pageurl=https://site.com/page.html&version=v3&action=verify&min_score=0.5


Pricing:
During the testing the price is the same as for ReCaptcha V2: $2.99 per 1000.


Refund for invalid tokens:
It's quite complex. In case of normal image captcha we can solve it again and check the answer provided by the worker. That's not possible for tokens.
In case of ReCaptcha V2 we can analize the statistics of good and bad tokens per worker to indentify bad workers ban them and return funds for their answers.
But ReCaptcha V3 can return different score for the same worker on different websites - on one website he can get 0.1 and on another one 0.5 at the same time.

What do we suggest:
As an addition for standard method to report invalid answers: reportbad we add a new one - reportgood.
When you report a good answer we add the worker who provided the token into a whitelist for your account and this worker will get your captchas first.
In future we are planning to return funds for invalid tokens but only in case if you report good tokens too.

Feel free to post your question and suggestion on that matter in thread comments!
 

f3rg8sn

New member
What does it mean when I receive an error timeout.120 exceeded, does this mean it took too long to get an answer for the v3 Recaptcha?
You stated that the more captcha are sent the greater the chance of it working, does that mean I would need to send multiple captchas from the same URL before the captcha is actually solved?
 

f3rg8sn

New member
Yes, that is correct.

Yes, more or less.

There could be other reasons why the captcha wasn't solved though.
So if I send around 500 captchas that should sooner or later be able to solve it. What other reasons could cause the captcha to not be solved?
 

Mark Miller

2Captcha Engineer
Staff member
So if I send around 500 captchas that should sooner or later be able to solve it. What other reasons could cause the captcha to not be solved?
Most common reason - incorrect request parameters: invalid sitekey/url pair or invalid captcha version (v2, v2 invisible, v3).
 

albeiros2

New member
Please note that ReCaptcha V3 method is still in development mode. Algorithms and API methods can be changed.

Recently we started to test ReCaptcha V3 bypass methods and it even works slightly.

As you already noticed ReCaptcha V3 doesn't ask the user to pass any challenge, but just returns to the website a score - some kind of quality rank of a user who passed the captcha. And the rank should be different for various websites. The score is a number between 0.1 and 0.9.

We made a set of experiments and noticed that if user has a score 0.1 on any website then in most cases (about 90%) he will get the same score on any other website.


How our method works:
When you submit us a captcha we distribute it to a random worker on your target website and on our website. Worker gets two tokens google. We check the token for our website and if the score is good enough we guess that token for your target website is good too and we return it to you. We can't guarantee that you will get a good token but we guess that in most cases you will.


How to try:
API is almost the same as ReCaptcha V2, but there are few additional parameters:
version=v3 - tells us that it's ReCaptcha V3
min_score=0.5 - minimal score value required. If you set it to 0.1 you will then get the token almost immediately, if you set it to get 0.5 you got to wait for the token for some time, but it's almost impossible to get a token with score of 0.9 so you advised not to set it that high.
action = verify - parámetro opcional, el nombre de la acción del sitio web de destino, la acción se proporciona como un parámetro de la función grecaptcha.execute en el sitio web

Ejemplo de solicitud:
[CÓDIGO] http://2captcha.com/in.php?key=APIK...e.html&version=v3&action=verify&min_score=0.5 [/ CODE]


Precios:
Durante la prueba, el precio es el mismo que para ReCaptcha V2: $ 2.99 por 1000.


Reembolso por tokens no válidos:
Es bastante complejo. En caso de captcha de imagen normal podemos volver a resolverlo y comprobar la respuesta proporcionada por el trabajador. Eso no es posible para los tokens.
En el caso de ReCaptcha V2 podemos analizar las estadísticas de tokens buenos y malos por trabajador para identificar a los malos trabajadores, prohibirlos y devolver fondos por sus respuestas.
Pero ReCaptcha V3 puede devolver una puntuación diferente para el mismo trabajador en diferentes sitios web: en un sitio web puede obtener 0,1 y en otro 0,5 al mismo tiempo.

Que sugerimos:
Como una adición para el método estándar para informar respuestas no válidas: reportbad agregamos una nueva: reportgood.
Cuando informa una buena respuesta, agregamos al trabajador que proporcionó el token a una lista blanca para su cuenta y este trabajador obtendrá sus captchas primero.
En el futuro, planeamos devolver fondos por tokens no válidos, pero solo en caso de que también informe tokens buenos.

¡No dudes en publicar tu pregunta y sugerencia sobre ese tema en los comentarios del hilo! [/CITA]
Hola donde obtengo este Bot