📣 fxtentacle

Google ReCAPTCHA doesn't stop SPAM. Why?

Dear HackerNews,
I'm wondering if anyone has a hint for me. We've been receiving a lot of SPAM in the past 2-3 days both on our signup form and on the contact us form.
The way things are implemented is that the client-side JavaScript will send the "g-recaptcha-response" to our server and then our server will post that to "https://www.google.com/recaptcha/api/siteverify" to verify.
My logging tells me that we received "success == true" back from Google for each of the SPAM entries. That would suggest that someone has found a way to automatically "solve" ReCAPTCHA to obtain the "g-recaptcha-response" code in a way that Google declares them to be human.
Does anyone know more?

👤 WorldPeas Accepted Answer ✓

This is either the result of: A.)captcha solver farm services that sell auth tokens to spammers in bulk B.)more unlikely, but a system which uses the easier to solve audio captcha with a recognition software to farm auth tokens
The first system is probably the one at fault here, you should switch to an alternative or inhouse system, google captcha has been broken like this for years, I no longer use it in favor of hCaptcha, although i have not deployed it in production in a few months so for all i know ot could be compromised

👤 compressedgas

That's because there is a human solving them. It can't distinguish between someone who actually wants to contact you and someone being paid to solve CAPTCHAs.

Web Analytics Made Easy - Statcounter