HL 2.5.0.beta1 -> 2.8.0 Unable to Login to Epic: Captcha answers always wrong.

[PadTrick]

Describe the bug

i try to login into my epic account, but regardless what i do, the given answers are always wrong.

Add logs

no log

Steps to reproduce

try to login

Expected behavior

to login

Screenshots

No response

Heroic Version

Latest Stable

System Information

Arch

Additional information

No response

[arielj]

that sometimes happens to me but even on my browser, I have to try a few times until it changes the prompt of the captcha and then it works fine

can you confirm if after trying 3 or 4 times it changes the prompt and then it works?

[PadTrick]

tried it over 20 times on heroic launcher. in browser it works flawless

[flavioislima]

This is my experience and it is working just fine. the problem is that those captchas are becoming more and more difficult now:

Closing since we can't reproduce the issue.

[PadTrick]

strange, for me the only way to get it was to login into browser and solve the captcha there. i even had the exact same captcha and i solved it, where HL told me that it was wrong.

i'm currently using 2nd login method which doesnt login, but the games in my lib are atleast working.

maybe it's a strange behavior of the captcha idk

[flavioislima]

Yes, the problem is not the captcha. Looking further into it, I can see it return status 400, bad request, after the login.

So my theory is that epic found a way of blocking heroic.

Tried several things and could not fix it so far.

I'm reopening this issue.

[arielj]

I can't reproduce this, I tried with a clean config directory and I was able to login first try with the captcha, maybe it was a temporary thing?

[PadTrick]

have this issue since 1 week. trying daily to login, but always the same. idk what it is, i also have this on 2 other machines, with other distros. tried flatpak, arch aur package, binary ... clueless and confused

~2 weeks ago all worked flawless. then the issue with DLC for EliteDangerous accoured. (where he doesnt detect the size of the DLC, the installer never finishes. have to pause it, close HL , resume it, it will finish, but dlc will be missing. can verifiy with ED Launcher to download missing parts and play, but its really annoying).

[mumbleskates]

it does indeed look like epic is killing these sign-in attempts based on user-agent or something. my login token expired and i can't get it back by logging in inside heroic. i could probably import my browser's login cookies to .config/heroic/Partitions/epicstore/Cookies but that's so much effort

edit: and it doesn't even work, so.

[mumbleskates]

i was able to get the launcher, but not the store page, to be logged in via the alternate login path where you paste the login token from legend. although this did produce the error below, it does function and launch games afterwards:

An error has occurred! Try to Logout and Login on your Epic account.
[cli] INFO: Logging in...[Core] INFO: Trying to re-use existing login session...[cli] INFO: Getting game list... (this may take a while)Traceback (most recent call last):
File "legendary/cli.py", line 3061, in <module>
File "legendary/cli.py", line 2972, in main
File "legendary/cli.py", line 206, in list_games
File "legendary/core.py", line 511, in get_non_asset_library_items
File "legendary/api/egs.py", line 229, in get_library_items
File "requests/models.py", line 1021, in raise_for_status
requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: https://library-service.live.use1a.on.epicgames.com/library/api/public/items?includeMetadata=True
[111871] Failed to execute script 'cli' due to unhandled exception!

[flavioislima]

Guys, I think I found the issue, can you guys test the build from this PR to confirm: https://github.com/Heroic-Games-Launcher/HeroicGamesLauncher/actions/runs/4906572797?pr=2688

[PadTrick]

Guys, I think I found the issue, can you guys test the build from this PR to confirm: https://github.com/Heroic-Games-Launcher/HeroicGamesLauncher/actions/runs/4906572797?pr=2688

doesnt work for me. but i check on another machine. tested on another machine, where Hl wasnt installed. no luck. i'm on arch on both systems, can this be a source for the problem ?

[p3ak]

Guys, I think I found the issue, can you guys test the build from this PR to confirm: https://github.com/Heroic-Games-Launcher/HeroicGamesLauncher/actions/runs/4906572797?pr=2688

doesnt work for me. but i check on another machine. tested on another machine, where Hl wasnt installed. no luck. i'm on arch on both systems, can this be a source for the problem ?

Nope, same issue, WIn 11

[p3ak]

Guys, I think I found the issue, can you guys test the build from this PR to confirm: https://github.com/Heroic-Games-Launcher/HeroicGamesLauncher/actions/runs/4906572797?pr=2688

Any chance this update can be pushed really soon?

[PadTrick]

Guys, I think I found the issue, can you guys test the build from this PR to confirm: https://github.com/Heroic-Games-Launcher/HeroicGamesLauncher/actions/runs/4906572797?pr=2688

Any chance this update can be pushed really soon?

doesnt work for me on all my systems. i even tested very old versions. to me it seems like epic changed something on their end, which needs to be implemented/changed

[p3ak]

Funny enough: It now works for me again.. also had other captchas than yesterday... lol

[staticEndeavour]

I don't know if it's of any use, but when I tried the alternate login method, the captcha would not solve when I blocked HTML canvassing, but I could solve and the site allowed me to grab the authentication # when I allowed HTML canvassing.

[Erz3]

I don't know if it's of any use, but when I tried the alternate login method, the captcha would not solve when I blocked HTML canvassing, but I could solve and the site allowed me to grab the authentication # when I allowed HTML canvassing.

I don't understand you. I have got the same issue, could you explain it better?

EDIT: I can log in with the alternative way.

[Arcitec]

@flavioislima Epic is blocking Linux.

Brave, with a normal OR PRIVATE (no cookies) browser tab, all with both "Block fingerprinting: Standard" AND "Disabled" (to unblock HTML canvas due to comments above), and also trying the latest Google Chrome with zero extensions/changes, ALL give THIS error when doing PURE web browser login TOTALLY UNRELATED to Heroic/Legendary. Just going to the website and trying to login gives this error:

VPN doesn't work either.

I have a session in my browser that is still logged in from earlier, but I cannot buy games with it because it says that captchas are wrong.

I found a website that l can test captchas with. They work:

https://nopecha.com/demo/hcaptcha

Therefore, the captcha answer is correct. Epic is choosing to pretend like we answer the captcha incorrectly.

I was able to log in and use the website and buy games via an ANDROID PHONE instead.

My guess is that Epic is blocking Linux.

[mumbleskates]

this doesn't say much; captcha rejections are arbitrary, and you are just as likely to be getting blocked based on IP address (VPNs are also extremely likely to be caught in blanket IP bans for this kind of thing)

[Arcitec]

@mumbleskates No. If I use hCaptcha's test website, all captchas are accepted from my Linux browser:

https://nopecha.com/demo/hcaptcha

And as for Epic login, I am totally successful via my phone (exact same IP address).

Here is what I get on my Linux Brave browser where I am still logged in from a months-old login session. I can add games to the cart but if I try to buy them, the captcha fails and says:

Then I use my phone (Google Chrome, Android, same IP) and buy the game no problem.

[Arcitec]

@mumbleskates

I decided to try my Windows 11 virtual machine, with Microsoft Edge browser, and the exact same IP address.

• Login: Works. In fact they didn't even ask me to solve any captcha.
• Finishing cart purchase (same cart as failed on Linux above): Works. And again they didn't ask me to solve captcha.

SAME. IP.

Epic hates Linux. Confirmed.

[Arcitec]

If I had to guess, Epic has raised their "threat level" threshold.

• Epic uses Cloudflare to test user browser legitimacy.
• Epic uses hCaptcha to test if user is a human or a bot.
• The captcha service is serving harder captchas to Linux users, fact. Windows/Android logins don't get any captcha at all, or get very simple ones. The Linux captchas have crazy artifacts to defeat AI/bot logins and match the style of the "Hard" captcha difficulty seen at https://nopecha.com/demo/hcaptcha/
• The captcha service is responding that the Linux user successfully completed the captcha, but Epic isn't happy enough about that.
• The combined score from Cloudflare + hCaptcha are used to reject users.
• Linux users probably have a higher "threat score" than Windows. Therefore the blocking may not be intentional. If anyone has a communication line to Epic, please use it, because they most likely aren't aware. But of course, Tim Sweeney famously hates Linux (he rants against it on Twitter), so there is a non-zero risk that they are aware and did this on purpose.

[mumbleskates]

normal epic login works completely fine from my linux browser, and has never even served me a captcha. it is arbitrary, and no data point necessarily generalizes this way. unless you can find a specific browser feature that makes or breaks the process (which it sounds like you haven't) this is just another data point.

these kinds of login filters put all the data they have access to into some heuristic, and yes linux user-agents generally do have a higher threat score.

[Arcitec]

@mumbleskates What browser are you using? I can test it too. I have most likely received a higher IP-based score in general (no idea why but my pattern is to grab all free games and never buy anything, and I use Legendary/Heroic, which may be raising my "bad" score due to bad API calls), which together with also being a Linux user and having an even worse score as a result, would justify them in putting me into the trash-can @ Epic. I have made like $100 in purchases in total but that was mostly two years ago. So I am a net-loss for them.

The problems began about 3-4 days ago. Since then I cannot make any new logins or purchases except if I use Windows or Android. Same IP, as mentioned. I am thinking that I should contact their support to see if they can get it to the proper department.

[Arcitec]

Ultimate hilarity. I used my still-logged-in-since-months-ago Linux browser session to try to make a ticket. The ticket process asks for a captcha which of course fails. :D

I submitted the ticket via Windows instead. I suggest that EVERYONE affected starts contacting Epic's support (via your account page: Need Help: Contact us (at the bottom)). And explain that the issue needs to be relayed to the engineering team because this is a clear issue on their end, not ours.

Another fun discovery:

Viewing the support contact form via Linux shows:

Via windows it shows the live chat as available. This is before even attempting to click anything. It just immediately doesn't want anything to do with my Linux browser's contact request. :)

[PadTrick]

I'm on Arch and with Opera i also dont get any Captchas to solve. But i get Captchas on Firefox and can successful solve these, the same with Chrome. Just the Heroic Launcher refuses somehow to accept the correct answers and goes karen mode ^^

[Erz3]

Me too… I can log in with Firefox on Linux. The problem is with Heroic, I think.

[Nocccer]

For me it sounds like it depends on the webdriver version. Electron uses chrome driver with a specific version. It might only happens with a old or to new version?

[Arcitec]

Me too… I can log in with Firefox on Linux. The problem is with Heroic, I think.

@Erz3 Thank you for that information.

• Brave: Fail.
• Chrome: Fail.
• Firefox Flatpak: Success.

So firefox is more trusted than Chrome/Brave.

(And before anyone says it: I had totally "stock" Chrome with no customizations, no adblocking etc so I haven't messed it up myself :D And in Brave I disabled fingerprint blocking etc and it still doesn't work there.)

So it's confirmed that Epic gives bad rating to Chrome-based browsers on Linux. On Windows they all work.

[flavioislima]

@Arcitec I don't think the issue is with Linux because I have the same problems on macOS. I believe that it's something blocking our IP on their end.

Because for me sometimes I can log in fine on Heroic, sometimes I cannot log in even on the browser. Looking at the dev tools, I see a bad request error 400 but could not find more info on what could be wrong.

[Nocccer]

Can the method to login make a different? I log in via google and i have no captcha prompt and login works fine. I can login fine on chrome. Never got a captcha.

[flavioislima]

Can the method to login make a different? I log in via google and i have no captcha prompt and login works fine.

yes, only Epic logins are being affected, if you use google or any other it will be fine.

[tazihad]

Guys, I have found a way to bypass the failed captcha inside heroic launcher. Make sure you connect your epic games with your google account from any browser. Than try login with google account with inside heroic. After giving google login details it takes me directly to Epic games 2fa screen. And the login happens without any issue.

[PadTrick]

Guys, I have found a way to bypass the failed captcha inside heroic launcher. Make sure you connect your epic games with your google account from any browser. Than try login with google account with inside heroic. After giving google login details it takes me directly to Epic games 2fa screen. And the login happens without any issue.

nice workaround, but in the end, the issue with the captchas for epic account login needs to be fixed.

[Arcitec]

@flavioislima It is NOT an IP block, I have already verified that. But I have a bit of a theory...

Epic most likely enabled a "if user has a rare User-Agent header, raise their threat score...".

• Chrome on Mac? RARE! People there use Safari.
• Chrome/Brave on Linux? RARE! People there use Firefox.

For me, all of these browsers are tested and WORKING, all from the same IP:

• Linux: Firefox. It's the most common Linux user-agent, so it probably gets a good score. Works perfectly. Doesn't even get a captcha challenge.
• Windows: Edge (Chrome-based), thus proving that nothing in Chrome's code is breaking anything. It's a user-agent based block. Doesn't even get a captcha challenge.
• Android: Chrome. Literally. Doesn't even get a captcha challenge.

So it is nearly 100% sure to be a newly added threat metric: "user has a rare user agent? give them a bad score, which then leads to a block".

I have contacted their support and asked if they can forward it to engineering. And I will keep repeating the same request to support if they don't forward it the first time I asked, since we all know how often we can get "oh must be your fault, use a different browser" answers. That is not acceptable here. Their login backend is badly configured.

[flavioislima]

@Arcitec but on heroic we already pass the user agent as chrome on windows to avoid this type of thing.

[Arcitec]

@flavioislima Yeah, I even saw the patch you're using to update the user agent to try to avoid the new captcha.

It's clear to me that Epic has tuned their "untrusted user agents" check way too sensitive. I've contacted their support twice by the way, with an explanation and a request to forward it to engineering. Both times, support personnel just clicked their control panel's auto-suggested auto-reply template and closed the tickets. They sent me links to helpful tips such as "How to clear your browser cache to see if that works".

Time to submit the 3rd ticket. Tickets will continue until morale improves.

[Arcitec]

Third time was the charm. Finally a support agent who forwarded the info to Epic's engineering. The bold part is the non-template/non-auto-response part of their message. I am 99% sure that everything non-bold is a standard template for "passing along info to engineers" but the bold part is human-written and suggests that the info is being passed along.

Now we just need to pray that it reaches an engineer who has a look at the broken Linux logins and that they actually revise their login thresholds to allow the rarer Linux web browsers (non-Firefox users) back into the store.

Hello there!

Thank you for reaching out to us. My name is ... and I'll be your Epic Games Support Agent.

I'm sorry to hear about your experience with logging into Epic on Linux. Thank you for letting us know of a potential fix that would stop this from happening to other players as well. Not many people go the extra mile like you did!

I'll pass your feedback along, yet since we get a lot of feedback, I can't guarantee that any action or response will come from this. Don't forget to keep an eye on our News page for the latest information on updates and changes.

If there's anything else I could do for you, please let me know! I wish you a great rest of your day!

Kind regards, ...

This part confirms that much of it is a template, but at least it confirms that they used the "pass along to engineers" template, hehe: "I'll pass your feedback along, yet since we get a lot of feedback, I can't guarantee that any action or response will come from this. Don't forget to keep an eye on our News page for the latest information on updates and changes."

Normally I wouldn't encourage more people to send in tickets, but in this case, since Linux is so small, I think it WOULD help if more people contact them about the Linux login issues, which are caused by their website being way too strict against "rare/unusual" logins. Firefox works, but less popular browsers (on Linux) like Chrome and Brave don't work. Those exact same browsers all work on Windows, from the exact same IP. So it's pretty clear that they are kicking us out based on our "rare web browser" user agents.

[karlisk]

Came here after looking for solutions from here: Login issue #2531

Seems to be one and the same cause in both issues. As noted in the other issue, I was able to log in using Firefox on Linux, any other browser failed with incorrect captchas or "incorrect response".

[Arcitec]

Seems to be one and the same cause in both issues. As noted in the other issue, I was able to log in using Firefox on Linux, any other browser failed with incorrect captchas or "incorrect response".

@karlisk Yeah, this is not fixable by us. Epic must do it.

Please start contacting Epic's support (via your account page: Need Help: Contact us (at the bottom)). And begin the message by explaining that the issue is affecting most users on Linux and that it needs to be relayed to the engineering team because this is a clear issue on their end, not ours.

Then go on to list the working and non-working platforms and browsers.

In my case, all browsers are stock (no extensions) and are all on the same IP. Private mode doesn't fix it either.

• Works: Windows (Chrome, Brave, Edge), Android (Chrome), Linux (Firefox)
• Blocked by Epic: Linux (Chrome, Brave, Electron/Chromium).

Those are the ones I have tested.

With your report, we can add Mac to the list of things Epic has screwed up!

[Erz3]

It seems work now on Linux.

I logged in with the first option and passed captcha challenge.

[Arcitec]

It seems work now on Linux.

I logged in with the first option and passed captcha challenge.

@Erz3 Got excited for a moment, but sadly I'd guess that your IP simply has enough "basic trust" to put you above the threshold they use for rejecting logins.

Both Heroic Launcher + Brave on Linux still give me the same old tedious login-blocked result:

[Arcitec]

As an extra data point:

• Epic Games Launcher (the OFFICIAL app) inside of Bottles, emulated via Wine, logs in properly.
• That app is basically just a web browser. The login process is the exact same. But when using that app, the login is accepted immediately without even being asked for a captcha.
• I'm on the same Linux machine and IP as usual.

@flavioislima Any ideas for figuring out which User-Agent the official app uses? Maybe we can replicate it perfectly.

[PadTrick]

can someone plz delete this AD from 404b ?!

1. it's an AD
2. it has nothing todo with the problem

[404b]

can someone plz delete this AD from 404b ?!

1. it's an AD

I've deleted it, It was a plug for noCapcthaAi Captcha Solver I admit. But it's not the only one, there're more mention for other captcha solver sevice (eg. on replies of Arcitec).

No provider has free hobby/personal plan like noCapcthaAi (6000 req each month).

2. it has nothing todo with the problem

noCapcthaAi bypasses hCaptcha pretty well and daily updated, as much i can read here issue is about hCaptcha bypass failing which can be solved by getting a passed hCaptcha Token (entirely request based https://docs.nocaptchaai.com/en/token/hCaptcha.html).

Because third party projects always get's blocked by firewall/Captcha. Lot of software/clients already implemented our api on their side to bypass HCaptcha, HeroicGamesLauncher can too as an optional feature.

Alternatively, I could mention free projects here on github but there will same failed to bypass issue as they are not updated as much as noCapcthaAi

I didn't mean to upset you with a hcapctha solution (on your Issue about the same) thousand of people daily use. Have a good day.

[flavioislima]

I opened a PR where I just changed the user agent on the login screen to Firefox on Linux since some people had success with it. It worked for me as well.

But need more testers: https://github.com/Heroic-Games-Launcher/HeroicGamesLauncher/pull/2726

[MxD-Sans]

I found that, in browser, changing the User Agent from Developer Options -> Network Conditions to Chrome on Windows, said capcha will just not bother me anymore. If it stays default (Chrome on Linux), it would always fail. So maybe there's something specifically on linux that triggers that capcha? Since Epic is only officially supported on Windows, they only test Windows browsers?

The emulated User Agent, in Chrome, is Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36

[flavioislima]

I found that, in browser, changing the User Agent from Developer Options -> Network Conditions to Chrome on Windows, said capcha will just not bother me anymore. If it stays default (Chrome on Linux), it would always fail. So maybe there's something specifically on linux that triggers that capcha? Since Epic is only officially supported on Windows, they only test Windows browsers?

The emulated User Agent, in Chrome, is Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36

no, on the current Heroic stable we use chrome on windows, we always used chrome on windows so its something else. Some people even using a browser gets the error so it is more complicated than we think, might even be something on Epic side.

[sleeplessKomodo]

I'm on Fedora. Heroic v2.7.1

Can successfully login via Firefox browser, and can login within legendary using the alternative method to access my library, but can't use the built-in browser to log in and access the store. The regular login still fails the captcha

[Arcitec]

After a tedious amount of digging, I've found the true issue: It's a bug in hCaptcha. 🚨 It cannot be fixed by Heroic's developers, so stop waiting for a fix, we need your help! 🚨

:point_right: WE NEED YOUR HELP NOW! :point_left: Everyone, please send emails to hCaptcha to put pressure on them to fix their broken captchas.

Contact them here:

• support@hcaptcha.com
• sales@hcaptcha.com

The short summary:

• hCaptcha is detecting and permanently blocking the Linux/Mac versions of Chrome-based browsers (Brave, Chrome, Electron, etc) REGARDLESS OF USER AGENT (spoofing the exact same agent as the Windows version doesn't matter; it still hates your browser if you're on Mac/Linux), and hCaptcha blocks them permanently when attempting the hardest security challenge (Enterprise Grade, which is what Epic uses).
• In a few rare cases you might succeed an Enterprise challenge, but you will be blocked on your next tries very soon after that. Usually, you will succeed the 1st attempt. But then try reloading that page and taking the challenge again and you will have much more trouble, usually getting stuck in an infinite captcha loop. If you aren't getting stuck, then use User-Agent Switcher for Chrome to spoof a Windows browser, exactly what Heroic does and what I did in my tests, which is guaranteed to make hCaptcha hate you. They detect User Agent spoofing.
• Trying the exact same web browser (latest Chrome) on Windows instead gives easy success. Via the exact same IP.
• Their "bot detection" engine is simply COMPLETELY broken and is detecting non-Windows Chromium browsers as bots.
• It gets especially angry if any kind of "user-agent switching which doesn't match your real platform" is involved, which is ridiculous. They should not be caring about that. Google's captcha doesn't care about that.
• Blocking the entirety of the Linux/Mac market (and being even stricter when Electron apps use "custom User Agents") is clearly NOT intentional, since they happily allow Firefox on Linux to succeed the captcha. So I have high hopes that they'll fix this.

It's fascinating to see that hCaptcha is able to detect Linux/Mac even when doing User Agent spoofing. They DEFINITELY use browser fingerprinting to do that: Looking at your list of installed fonts, etc, to figure "Ahh this bastard is a Linux user who is just faking things!"...

One of the issues is actually the fact that Heroic is spoofing the browser, which makes hCaptcha hate Heroic even more, because it can see from the fingerprint that our "browser" (Electron) is lying about our user agent. This is a fact. I installed the Windows version of Heroic in a Win10 virtual machine to try it out, and am getting a captcha failure loop there too.

I suspect that hCaptcha has collected a lot of data about trusted browsers and platform characteristics, which simply didn't include enough data about Mac and Linux users, so our system fingerprints (our list of fonts, etc) have very low trust from their captcha system already, and then the "user agent spoofing" is the cherry on top that makes them block us. hCaptcha puts wayyyyyy too much value on having a "correct/trusted user agent" that matches your specific platform, which breaks Electron apps since those often have fake user agents on purpose. They'll need to tweak their knobs a bit because this is ridiculously overkill.

An alternative solution, if hCaptcha doesn't want to fix their captcha, would be for Epic to downgrade from Enterprise hCaptcha to Hard or Moderate difficulty instead.

Full details here about how the tests were performed: https://github.com/Heroic-Games-Launcher/HeroicGamesLauncher/pull/2726#issuecomment-1563634439