challenge-bypass-extension icon indicating copy to clipboard operation
challenge-bypass-extension copied to clipboard

Published 20 hours ago verified publisher icon privacypass

restore hCaptcha compatibility

Open fedecarpy opened this issue 2 years ago • 1 comments

This PR restores full hCaptcha compatibility.

Maintainers: please notify [email protected] well in advance of shipping breaking changes to hCaptcha support. This will let us schedule work to validate and PR any changes required.

We have historically linked hCaptcha users to the extension published out of this repo, but if maintaining compatibility with non-Cloudflare endpoints is not a priority then it may make more sense to publish our fork separately to avoid similar issues going forward.

Let us know your thoughts on this.

fedecarpy avatar Aug 31 '22 19:08 fedecarpy

Hi @fedecarpy, apologies for the delay on this. We intend to land this and will work with you on getting it merged in the next week or so.

First starters, we have some questions about maintenance, and it would be great to confirm that you actually work for hCaptcha :) Would you mind reach out at https://research.cloudflare.com/contact/?

cjpatton avatar Sep 15 '22 16:09 cjpatton

@fedecarpy apologies for the delay. I'll add some more details on next week.

thibmeu avatar Oct 26 '22 15:10 thibmeu

Hi @fedecarpy , I noticed that hCaptcha allows to spend one token, but in the second try, it consumes the token but do not bypass the captcha (the puzzle images are prompted to the user). See the image:

captchaOnceOnly

Steps to reproduce:

  1. Get 5 tokens from https://www.hcaptcha.com/privacy-pass.
  2. Go to https://accounts.hcaptcha.com/demo, in the first try, the token is consumed and no images. Good!
  3. Refresh the page.
  4. Check the mark of captcha, now, the token is consumed and sent without error, but the images still appear. :(

I observed the same behaviour by solving this demo: https://2captcha.com/demo/hcaptcha

armfazh avatar Oct 28 '22 18:10 armfazh

Hi @fedecarpy , I noticed that hCaptcha allows to spend one token, but in the second try, it consumes the token but do not bypass the captcha (the puzzle images are prompted to the user).

Hi @armfazh.

This is the expected behavior. The existence of a Privacy Pass token is only one of many variables that decide whether a challenge is shown. Rapid repeated redemptions make it less likely that a session will bypass the challenge.

fedecarpy avatar Oct 31 '22 11:10 fedecarpy

Hi @fedecarpy , I noticed that hCaptcha allows to spend one token, but in the second try, it consumes the token but do not bypass the captcha (the puzzle images are prompted to the user).

This is the expected behavior. The existence of a Privacy Pass token is only one of many variables that decide whether a challenge is shown. Rapid repeated redemptions make it less likely that a session will bypass the challenge.

Ok, then we might add somewhere in the documentation that the captcha might still showing the puzzle even though the extension provides a valid token. Tracked in #348

armfazh avatar Nov 01 '22 23:11 armfazh

Thanks @fedecarpy , we will publish a new version soon.

armfazh avatar Nov 08 '22 21:11 armfazh