Recaptcha v3 always returns a 0.9 score

[AOlivar]

I have a problem with recaptcha V3, always return request is 0.9 score and this a problem? keep sending the form.

[sliterok]

Same problem with my site

[atlanteh]

Happens to me too

[cristiano-belloni]

Happens to me too.

[cristiano-belloni]

@AOlivar - could you edit te tile to something like "Recaptcha v3 always returns a 0.9 score"? That might be easier to read.

[sliterok]

UPD: 2 of 11 users got score 0.3. That was static score(at least for 20-30 minutes stayed the same). Other 9 users has gotten score of 0.9 (also static)

[atlanteh]

What I did was open my site in incognito mode. never hovering or interacting with the website. I had developer tools opened, and using the console & selector I clicked a button which calls the recaptcha. I still got 0.9.

[sliterok]

@atlanteh as far as i understend it uses your ip adress and seraches for actions from google-included websites or google itself. I may ask you to use proxy and try it again.

[atlanteh]

It doesn't seem right. If I'm behind a router, all the computers will have the same external ip address.

[sliterok]

Nonetheless it looks like it's working this way... (based on my little research doing more "actions" doesn't change score anyhow)

[mhervy]

I also get always 0.9 but only on Chrome, with IE I always get 0.1 and always 0.3 on Edge. By using console to navigate on Chrome and still have 0.9...

[sliterok]

One of my users is using(!) Chrome 63, but he's getting 0.3 score

[mhervy]

@sliterok I'm using Chrome 66

[Timeo73]

Same problem here. I always get 0.9 score. Is it normal?

[rowan-m]

This is more of a question with the reCAPTCHA service rather than the client library, but that said I'll add a personal opinion.

So, this isn't a definitive answer, but I wouldn't be worried about not receiving a 1. Consider it like a probability score where 1 would mean with absolute certainty this is not a bot. That can never be guaranteed, so a 1 would never happen. It's probably safe to work on the assumption you're getting a probability score rounded down to the nearest 0.1.

[namlq93]

Me too. I want to check case score 0,1 -> 0,5. But Recaptcha v3 always returns a 0.9 score.. How to do it?

[rowan-m]

A few things on this:

• You can see the range of scores being returned for requests on your dashboard: https://www.google.com/recaptcha/admin#list
• I get a lower score on my phone if I run in a browser I don't normally use, in incognito or private mode, and through a VPN. Trying a combination of things like this may result in a different score.
• For a testing environment though, you should set up your own mock service that returns different values. You can do this either by creating something that implements RequestMethod or by creating a mock service on a different URL and pass that in to your RequestMethod.

[xmontero]

Just for those testing under "incognito"... reCaptcha is not for separating good users from bad users. It's for separating "human" users appart from "bot" users. reCaptcha is just one singular instance of any generic Captcha. And Captcha means "Completely Automated Public Turing test to tell Computers and Humans Apart".

Here the key is "telling computers and humans apart".

So to make it fail, you don't have to test it against an incognito. You are still a human behind that incognito. And that's correct. If you have a real user entering your site from an incognito you want to test it as human and allow him.

Instead, try to enter via an automated client, like CURL or even PhantomJs or Selenium.

Then you'll probably get lower scores.

If you want to test incognitos, just play with cookies. Captcha does much more things. One of the things Captchas can do is to bind to the mouse-move events and track how do you "stroll the mouse" over the canvas before clicking the submit button, record a "hash" of the movements and check the hash is not in a database. If you are Selenium, you just click, you don't "move the mouse simulating a human". And if a hacker makes selenium to move the mouse, the pattern can be recorded and checked. For a human it's absolutely impossible to move the mouse two times in the same page tracing the very same pixel-journey.

So... just guys... make it easy... this is an score... Over 0.5 human, less than 0.5, ban it. Over time adjust the threshold to your site needs... if you receive many 0.48 that were "good users" because your users for example typically use weird IPs but that's okey, lower the threshold.

Neither you are a perfect 1.0 (nor me), nor a bot is a perfect 0.0.

This is one of the major changes from v2 to v3. In v2 it was black or white. In v3 it's a shade of gray. Pick your own threshold and confide in people behind the AI of the turing test.

[jfromaniello]

any ideas why I'd get 0.9 with chrome headless on an incognito context ? this classify enough as a bot for me. I tried using different ISPs to change the connection, and still get 0.9. The website I am testing does an alert(score); of the score returned by recaptcha v3:

const puppeteer = require('puppeteer');

async function doit(browser) {
  const context = await browser.createIncognitoBrowserContext()
  const page = await context.newPage();
  const result = new Promise((resolve) => {
    page.once('dialog', (dialog) => {
      console.log(dialog.message());
      resolve();
    });
  });

  await page.goto('https://a-website.com/');

  return result;
}

(async() => {
  const browser = await puppeteer.launch();

  const operations = [];

  for(var i =0 ; i < 10 ; i++ ) {
    operations.push(doit(browser));
  }

  await Promise.all(operations);

  await browser.close();
})();

[xmontero]

Indded. If it's an "autoamted test" it "should" give low score. Shouldn't it?

[nikita-seliverstov]

Same with me used selenium automated test with bunch of console command executions still 0.9

[simonoop]

Same with me used selenium automated test with bunch of console command executions still 0.9 +1

[abass]

Experiencing this as well. My client is getting loads of spam form submissions and yet 99% of the traffic is showing .9 - there's no way that is accurate. Anyone know what might be going on here?

[dalmenar]

+1. I try it with Selenium with 0.9 score...

[mastagino]

Not sure if this is the case, but they recommend to put recaptcha V3 in multiple regular traffic pages, so that they can analyze and see what is normal traffic for your website. If you simply put it on a form, it is not enough.

"Google wouldn’t say what factors go into that score, other than that Google observes what a bunch of “good traffic” on a site looks like, according to Cy Khormaee, a product manager on the CAPTCHA team, and uses that to detect “bad traffic.”"

[lukas-maxheim]

I can reproduce the error as well. Also with the approach suggested by mastagino I get the score of 0.9 for every submit I make.

[eltats]

can sum post code with selenium which return 0.9?

[aerkanc]

can sum post code with selenium which return 0.9? @eltats I 've tested native javascript via developers tool console. score is 0.9 again!

[Murrengan]

Recaptcha v3 not working! I try selenium (headless and standard) and get 0.9 on all my request =((

[boagriuz]

Any solution/updates on this?

[paulshorey]

Same for me. I programmed a web crawler in Apify.com. Took 5 minutes. I am able to collect all my site data, which was returned by AJAX request, which is secured by recaptcha v3. Watching console logs on my remote server, it always returns 0.9 score no matter what!

[averri]

Why is this closed?! There is no explanation to the questions! I'm facing the same situation. I have written a simple script in 5 minutes to automate the form filling. I know that the reCaptcha is adaptive, it learns from the behaviour. I have been playing with the form, filled it 50 times by hand and then I have used the bot to fill the form. reCatcha is not able to detect the bot!

[xmontero]

Hummm... Isn't the "closing" action appearing in the timeline itself? Didn't github place a "Person Foo closed Issue Bar on XXX date" within the timeline? I'd like to know WHO closed and WHY closed this issue.

[sliterok]

Hummm... Isn't the "closing" action appearing in the timeline itself? Didn't github place a "Person Foo closed Issue Bar on XXX date" within the timeline? I'd like to know WHO closed and WHY closed this issue.

https://github.com/google/recaptcha/issues/235#issuecomment-408701725

[cstrouse]

Completely bogus form entries yield 0.8 or 0.9 for me. Clients are getting spammed like crazy and this seems to do zero good. Definitely an issue here!

[Zentorer]

Yes, I'm implementing v3 and the same thing happens to me, all requests are 0.9. Test changing ips and the results were the same.

[atlanteh]

Unless you have a useful info to share with everyone, please do not add another rather generic "I tried it too, doesn't work". You are email alerting everyone in this thread. Adding a like on the author post is just fine. Thx, and sorry for this alert

[cstrouse]

@atlanteh Have you considered that the point of this is to draw attention to a problem that is being ignored for what appears to be no reason?

[sliterok]

@cstrouse, that repository is for PHP library for recaptcha, so i guess posting here about the functional problems of captcha 3 is useless.

[ertejaspatel]

Has anyone got any workaround about how to test or force google to return low score.

I tried

• Selenium with headless,
• changed chrome browser useragent to Bot
• tried in incognito window but no luck

none of them worked for me. I always get score of 0.9

Preferred Solution: Ideally google should provide test configuration in settings on Admin console so that user can configure that test request should receive x score.

Thanks

[cstrouse]

Seems like it's not testing of the messages are junk but rather that it's something human-likr in how it interacts with the website. I always get the 0.9 score but after putting it live to protect a form that was actively being abused the junk entries stopped. There haven't been any junk entries in weeks.

On Thu, May 28, 2020, 6:34 PM ertejaspatel notifications@github.com wrote:

Has anyone got any workaround about how to test or force google to return low score.

I tried

• Selenium with headless,
• changed chrome browser useragent to Bot
• tried in incognito window but no luck

none of them worked for me. I always get score of 0.9

Preferred Solution: Ideally google should provide test configuration in settings on Admin console so that user can configure that test request should receive x score.

Thanks

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/google/recaptcha/issues/235#issuecomment-635705676, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGPJFF7QZ4VGJQIB5D5N3DRT4GLFANCNFSM4FCBGDOA .

[mcopes73]

+1 here. Always getting 0.9

[almazka987]

+1 Same problem!

[ms-dinesh-lawate]

+1 Same issue! ReCaptcha Enterprise v3 always return same exact score i.e. 0.8999999761581421 for all the users and even with selenium testing also it gives same exact score. Not sure whether that number is hardcoded inside captcha library or not?

[derryberni]

+1 Same issue!

[qweluke]

+1, same problem

[dattannguyen]

+1 same issue

[julianmodiano]

Same issue here, wrote a puppeteer script that logged in for me in headless chromium 200+ times in 10 minutes and every single score came back as 0.9 - tested it on the production site in case it's somehow smart enough to realize that localhost is probably safe, and was on a VPN as well so surely it shouldn't save the IP as safe from when I'd previously logged in legitimately. Seems like it's basically useless...

[flcoder]

+1 same

[ashatat]

did anyone get an explanation for this issue?

[raymondjacobson]

+1 same