Support hCaptcha

[dessant]

Subscribe to this issue for updates on hCaptcha support.

[Pandapip1]

This is not needed. hCaptcha supports an accessibility system that automatically bypasses captchas for you: https://www.hcaptcha.com/accessibility

Edit: Quote from their website

How it works: first, an accessibility user signs up via the accessibility signup page, which is prominently linked in the hCaptcha widget info page. They are given an encrypted cookie that can be used several times per day, but must be refreshed every 24 hours via login.

When a challenge is presented to an accessibility user on any site using the hCaptcha service, they will automatically pass.

[kotx]

That requires a signup/email, though. It also requires login.

[KaKi87]

automatically get the cookies method to bypass it

I made a PoC for that once, although it must have broken by now, but I'm just saying it's doable. :+1:

[mat926]

I see there's already an extension for solving hCaptcha. https://chrome.google.com/webstore/detail/hcaptcha-solver/lfpfbgeoodeejmjdlfjbfjkemjlblijg Although they don't have their source available , my guess is image recogniziion, but it's hard to say how they do it.

[KaKi87]

why they had temp-mail?

AFAIK there is no way to get the cookie without receiving an email, so I used a disposable email service to receive it.

[Pandapip1]

The accessibility cookie is (supposedly) rate limited. This will (likely) not work.

[kotx]

You need an email to get a link, which is rate-limited and therefore can't be shared. Automating a disposable mail address is how you get that link.

We could maybe make an API to do this (and return a cookie), so the browser extension doesn't need to do all the heavy lifting.

[KaKi87]

On the contrary, you shouldn't make an API to scrape a rate-limited service, since all requests will originate from the server's static IP address, which will eventually get blocked.

Also, you can't constantly use the same disposable email provider, because it will get detected and eventually banned as well, considering that many of those services already are blocked.

You could submit the form client-side and receive the email server-side, but then the IP address will be blocked by the disposable email providers instead.

So, a fully client-side solution would be the best implementation of the email method, the downside is that you need an actual system app to run a headless browser capable of scraping both hCaptcha and email providers, which would communicate with the extension.

However, I would personally recommend looking for another method than the email one.

[Pandapip1]

I still don't understand what's wrong with just bookmarking the HCaptcha accessibility URL. If all else fails, maybe the extension could force-whitelist that 3rd party cookie and automatically refresh it from a user-provided cookie URL?

I don't think it's any harder to sign up for the HCaptcha accessibility URL than it is to sign up to any of the speech recognition APIs. Considering the use-case of this extension is improving accessibility, I doubt the utility of trying to do anything more than providing a link to hCaptcha's accessibility sign up page and automatically refresh and force the cookie to load.

Maybe adding some code to implement privacy passes might also be useful, just to reduce the number of hCaptchas shown.

[dessant]

I have cleaned up the thread and kept the parts that are useful, please only share relevant information going forward.

I agree that automating the signup for the accessibility cookie is out of scope, the most this extension will do is to refresh the cookie if you have already signed up.

The main goal here is to find solutions that involve object recognition.

[Pandapip1]

the most this extension will do is to refresh the cookie if you have already signed up.

I'd argue that it should probably implement https://github.com/privacypass/challenge-bypass-extension, if only to reduce the number of hCaptchas shown. I will note that hCaptcha officially supports this protocol.

[kotx]

@Pandapip1 Usually, I find that Privacy Pass just doesn't work for hCaptcha (no passes get added) :P. Also, this does not bypass the hCaptcha, which is the entire goal of this extension (bypassing captchas).

[Pandapip1]

It doesn't work because the privacy pass extension broke their code when they added cloudflare and haven't realized it yet. There's an open PR in their repo that fixes it, but it has yet to be merged. Also, the protocol does bypass hCaptchas. Just not all of them :)

Message ID: @.***>

[kotx]

The whole system is based off the fact that you solved a hCaptcha, when the point of this extension is to do it automatically. Also, I only get ~10 passes per solve, so it's not very viable for the long term IMO.

[Pandapip1]

Assuming the solver solves it 99% of the time, implementing privacy passes will improve that accuracy to 99.91%. I don't see any downside.

[kotx]

My mistake, I thought you meant the privacy pass solution would be the only thing the extension would offer. Sounds good now.

[Ezekiel-Game]

i dont know anything but i found this https://chrome.google.com/webstore/detail/hcaptcha-solver/lfpfbgeoodeejmjdlfjbfjkemjlblijg

[Ezekiel-Game]

Ezekiel

it may be malicious i think

[Ezekiel-Game]

also found this https://www.nyckel.com/image-classification-api?gclid=Cj0KCQjwnNyUBhCZARIsAI9AYlHvlO-rxKv9mEfaiDlaePwBoIQNP5rTwtn2Gk3HEx7EJJxIfvlxWB4aAmxiEALw_wcB

[mat926]

i dont know anything but i found this https://chrome.google.com/webstore/detail/hcaptcha-solver/lfpfbgeoodeejmjdlfjbfjkemjlblijg

I tried it and there are several issues with it:

1. Not open source
2. Doesn't always work ; you don't know what's happening under the hood
3. Redirects you to gtechmonitor affiliate link before reaching amazon

[Ezekiel-Game]

i dont know anything but i found this https://chrome.google.com/webstore/detail/hcaptcha-solver/lfpfbgeoodeejmjdlfjbfjkemjlblijg

I tried it and there are several issues with it:

1. Not open source
2. Doesn't always work ; you don't know what's happening under the hood
3. Redirects you to gtechmonitor affiliate link before reaching amazon

i said it may be malicious did i

[Ezekiel-Game]

and i dont know anything so dont blame me :(

[chirag127]

It doesn't work because the privacy pass extension broke their code when they added cloudflare and haven't realized it yet. There's an open PR in their repo that fixes it, but it has yet to be merged. Also, the protocol does bypass hCaptchas. Just not all of them :) … Message ID: @.***>

@ so I can install after merging,

[viasux]

That requires a signup/email, though. It also requires login.

also it allows for them to constantly track you all over the internet