reCaptcha seems to loop indefinitely when third party cookies are disabled

[raphj]

Issue description

I'm one element of the gigantic set of users of the Web hindered by reCaptcha's existance. Also see issue #286. Google does not have any easy way of submitting bugs for their products as someone suffering collateral damages because of people picking them so here it is.

reCaptcha seems to loop indefinitely when third party cookies are disabled and trackers are blocked.

Environment

I don't use recaptcha as a developer myself.

Reproducing the issue

Disable third-party cookies in your browser and try passing reCaptcha's maddening traffic lights and front stores.

Additionally, add ".google." as a blocking rule in uBlock Origin (on Firefox) to be sure to reproduce my setup with high precision, and block any kind of trackers with privacy lists.

Expected Behavior

reCaptcha should at least tell the user to get lost when something obviously does not work as expected instead of letting them die before an endless stream of front stores and traffic lights in the cold.

[cuuupid]

I'm experiencing the same issue. Also, this seems to be expected behaviour, as they'll just allow me to solve 12-15 captchas before saying "Something went wrong" every single time. I'm pretty sure they're just using this as a training loop. There doesn't seem to be any workaround if you don't want to share browsing activity with Google, and surprisingly since the data they forcibly collect is not PII they're allowed to block content indefinitely/have you solve their captchas indefinitely.

I doubt you'll get a reply since @rowan-m in the other thread marked this with a pseudo-WONTFIX:

This repo is for the client code for developer that need to verify their response to the API. I understand that the challenges can be frustrating. You might want to consider contacting the sites where you're experiencing this to advise them to update to the v3 version of the service which presents a confidence score rather than blocking with a challenge.

For what it's worth, as a web developer who would like to add captcha to my technology, it's an enormous antipattern for recaptcha to fail quietly and not provide any user feedback as to the failure so that they can adjust. This is not made clear by error messages provided either.

[grahamperrin]

… an enormous antipattern for recaptcha to fail quietly and not provide any user feedback as to the failure so that they can adjust. This is not made clear by error messages provided either.

+1

The lack of clarity can be hugely frustrating for end users and a big waste of time for support staff.

[grahamperrin]

https://github.com/google/recaptcha/issues/155#issuecomment-409589834:

This isn't directly related to the PHP code which is what this repo focuses on. However, …

[vertigo220]

Been posting in another issue, not directly related to this, but definitely part of the annoyance that is reCaptcha. While the cookie situation is likely partially innocent, i.e. a way to have a good idea of whether a "user" is a human or a bot, I'm convinced it's also at least partially designed to force Google cookies on systems regardless of other settings (blocking 3rd-party cookies, deleting Google cookies, etc) in order to prevent the massive time waste of having to do captchas all the time, and spend 3+ minutes on them each time. I'm also convinced they are, both in general and especially in these cases, using people to train their systems. Anyways, as discussed in the other issue, I have serious concerns about v3, and suspect it will be even worse than v2, since it will quite likely simply block people instead of offering them the ability to prove they're human (even if that does take FAR longer than it should and still often fail). And it seems to me the requirement for users to have Google cookies on their systems just to use a number of unrelated sites, not to mention the fact said cookies aren't even disclosed, is in violation of GDPR and possibly (though, sadly, unlikely) FTC rules.

[hellimod]

I would recommend the project be canceled. This kind of poorly coded application with google sponsorship can cause real damage to the internet as a whole.

[theAntiBob]

I really didn't anticipate having my (limited) time wasted by an unquestionably inappropriate neglect to ask my permission before being used to unnecessarily retrain (detrain, in my opinion) proprietary routines under the guise of humanoidal verification as an assumedly independent 3rd party service.

I seriously doubt the quality of data being collected on frustrated and confused (unwitting unwilling and unconsenting) users could be useful for anything other than anticipating patience loss thresholds. Nice work, gladOS.

Comments like: "...waste of time for support staff" "aren't even disclosed, is in violation of GDPR and possibly (though, sadly, unlikely) FTC rules" and "poorly coded application with google sponsorship can cause real damage to the internet as a whole" are incredibly valid with this type of violation of trust and are, unfortunately, too rarely voiced by the supposed "consentee"

due to an obvious gap in the current levels of technical capability posessed by end users, a clear and valid disclaimer is obviously needed to avoid having the term "intentional misleading" be so applicable to this behavior as well.

[danhash]

When trying to log in to JimmyJohns.com, which uses reCAPTCHA, with third-party cookies disabled in Firefox, clicking Login does nothing. As soon as I enable third-party cookies, clicking Login works. I've already reported this issue to Jimmy John's, who will likely do nothing, but the real culprit is Google's reCAPTCHA requiring third-party cookies. This dependency needs to be removed.

[efimBistrov]

When this bug will be fixed?

[grahamperrin]

Firefox

If I recall correctly, there's no problem with enhanced tracking protection at its Standard level.

Don't prefer the Strict level unless you're prepared to deal with some breakage; this may include reCaptcha functionality.

There's a forewarning:

(I do prefer the strictness.)

[raphj]

Strict privacy / anti-tracking settings should not prevent people from accessing websites, especially because of a CAPTCHA technology. Telling computers and humans apart certainly does not require tracking.

[dylanjamesdev]

Bumping because this is still a issue, the recaptcha keeps cycling no matter what browser or user does it. It will not allow anyone to pass it.

[snex]

Google: Don't be evil

Also Google: Disable all privacy settings or we will put you in an infinite captcha loop.

Captcha is supposed to tell humans apart from bots. If I solved it the first time, you know I'm a human. Stop infinite redirecting me. You are violating your own terms of service.

[vertigo220]

Google: Don't be evil

Also Google: Disable all privacy settings or we will put you in an infinite captcha loop.

Captcha is supposed to tell humans apart from bots. If I solved it the first time, you know I'm a human. Stop infinite redirecting me. You are violating your own terms of service.

They removed the don't be evil bit a few years ago. At least they finally showed a bit of honesty when they did that.

[grahamperrin]

Stop boring me with infinite complaints. Click the picture of the bicycle.

[snex]

Stop boring me with infinite complaints. Click the picture of the bicycle.

I sure hope you aren't a Google representative because if you are, your lack of reading comprehension is exactly why your software is turning to hot garbage.

It doesn't matter how many times the bicycle is clicked, the page just redirects back to itself. Now stop wasting the inflated 6 figure salary they pay you on diversity initiatives and go fix it.

[grahamperrin]

I sure hope you aren't a Google representative

I'm not.

the inflated 6 figure salary they pay you

First, pay me that salary

on diversity initiatives

then I can make a massive charitable donation to Bicycles for The Bored™, which will, eventually, increase the number of bicycles photographed for captcha purposes, ultimately making for a more pleasant experience when a fix occurs.

and go fix it.

No, and you're welcome.

[snex]

What on earth are you even talking about? The issue is not "bicycles keep appearing no matter how many I click."

The issue is "I clicked all the bicycles and submitted the page successfully, and then it just went to another captcha page."

If you aren't even a maintainer of the project, why are you commenting at all? You have contributed absolutely nothing.

[grahamperrin]

why are you commenting at all?

Please ask yourself whether https://github.com/google/recaptcha/issues/296#issuecomment-1279806239 helped to progress the issue.

[snex]

why are you commenting at all?

Please ask yourself whether #296 (comment) helped to progress the issue.

The comment before mine is over a year old. I know you guys just hope people will give up and go away, so you can close the issue and boost your KPIs and collect that sweet bonus money, but unfortunately the issue is still happening as of October 15, 2022. You probably could have fixed it in the time you wasted being snarky to your customers.

[grahamperrin]

I know you guys just hope people will give up and go away,

Wrong.

I hope for a fix relating to a technology that's intended to deter spam and other unwelcome noise.

If you didn't want responses to your noise about the supposed evils of Google, then why did you make the noise? I'll now hide my responses; please consider doing the same.

your customers.

You are not my customer.

[cyril-nmpro]

And the issue is still happening in Feb 2023

[mooleshacat]

Yep can't use any website that uses reCaptcha which is basically 99% of the internet. Also I refuse to accept that "disable ad block" and "disable VPN" are the proper solution - it's only gaslighting and blaming users for protecting their privacy and their personal data from three letter agencies who work directly with Google.

Google, the year is 2023 and literally everyone uses ad blockers and VPN's so get over it, stop crying and deal with it.

If the answer to be able to use a website is to allow Google to track you, that is the wrong answer.

Google made it so difficult that actual humans can't pass their "turing test".

Time for a new idea, or at the very least a complete re-code of reCaptcha.

Google and every website that uses reCaptcha blames the problem on the end user. The responses usually are:

• clear cookies / cache
• disable ad block (hell no, too many ads)
• disable VPN (I bought the VPN for a reason, protect privacy, etc.)
• release and renew LAN IP (as if this would have any effect at all)
• reset router to get new WAN IP (its the modem you reset for new IP not the router, some ISP wont give a new one unless certain time is passed they just renew lease)

As you can see, every solution they give is just gaslighting the very humans trying to access the websites and constantly getting stuck in a reCaptcha loop. I guess that's why they call it reCaptcha, because you have to do it over and over again until death do you part.

I should also note, the audio version of the reCaptcha is terrible, you can never tell what they are saying, how is this an "accessibility" feature? This should fall afoul of some disabilities act I am sure.

I also think its time for a class action lawsuit against Google, Alphabet, et al. (not legal advice, consult a lawyer)

[rowan-m]

Closing old issues that are not related to the PHP client code.

[raphj]

@rowan-m Fair enough, but can you transmit the issue to the reCAPTCHA team please?

[vertigo220]

Closing old issues that are not related to the PHP client code.

This is an issue about recaptcha posted under the recaptcha repo. How is it not related?

[SedatedJdawg]

July 2nd 2024 and I'm still dealing with infinite captcha loop... I've just decided some parts of the internet will be inaccessible!

[kiddailey]

August 27, 2024 and I can't use VirusTotal in any browser anymore on Windows because of reCaptcha loops -- even when I disable all blocking and disable privacy protections. Tried in Firefox, Chrome, Edge, and Vivaldi with no luck.

However, I don't get ANY reCaptcha prompts when using Firefox, Vivaldi and Safari on MacOS with strict privacy protections turned on!

Edit: I just discovered that it's because of my VPN. Switching to a different VPN node suddenly allows reCaptcha to work properly. Going back to the previous node breaks it again. So for me, it's not browser privacy protections, it's using certain nodes of my VPN that causes reCaptcha loops.