154

I've recently signed up to the oneplusone website https://account.oneplus.net/sign-up, and noticed this checkbox recaptcha

checkbox recaptcha

How does it work, and how can I use it on my sites? Much better than those cryptic words/digits:)

The recaptcha site does not mention any new recaptcha method... https://www.google.com/recaptcha/intro/index.html

Mogsdad
  • 44,709
  • 21
  • 151
  • 275
Pedro Costa
  • 2,968
  • 2
  • 18
  • 30
  • 15
    I saw it at exactly the same place, and wondered the exact same thing. I'm putting up a bounty to attract attention. I'm curious as well. – Madara's Ghost Sep 02 '14 at 14:13
  • Maybe it's in testing and not ready to be released yet? – user3791372 Sep 02 '14 at 14:15
  • 1
    An easy way to do this is `$('form input[type=submit]') .before('
    Are you a human?
    ');` bots won't check the box because it's not part of the form. http://jsfiddle.net/s6jkchmz/     – TylerH Sep 02 '14 at 14:46
  • I don't see a setting for it in the reCAPTCHA admin panel, and when I mimic the layout [they](https://account.oneplus.net/sign-up) are using I get [`ERROR: Site key is not enabled for this API`](https://zornco.com/recaptcha.php). To me, that seems to tell us that it's a new reCAPTCHA API that not everyone has access to, yet. – Timothy Zorn Sep 09 '14 at 04:02
  • 1
    There's also the honeypot method of putting an irresistible input field in the form (like 'comments') and then hiding it with css/js. If the data is present then the sender is a bot. I've used this and it works surprisingly well. – David H. Bennett Dec 03 '14 at 15:19
  • 2
    FYI: http://googleonlinesecurity.blogspot.hu/2014/12/are-you-robot-introducing-no-captcha.html – Pred Dec 07 '14 at 11:06
  • I'm sure they use a lot of information to determine as well. How long before the user mouses into the captcha box, their behavior in the box, where the eventually click inside the box, etc. – FellowMD Jan 17 '15 at 22:16
  • Is there a way to restrict the checkbox by using checkbox ID or Class those were generated by dynamically, because I would wanna restrict the user if they didn't check the check box – Krish Nov 19 '15 at 13:09
  • Could this work by detecting mouse movement followed by a click in javascript? – MC9000 Sep 17 '18 at 11:36

5 Answers5

116

This entry does not answer the original question, however it helps to implement a similar solution. As @IanM said, the checkbox recaptcha is in beta phase and it can't be used without invitation.

IMPORTANT EDIT Google introduced the new reCAPTCHA

This is a JavaScript based CAPTCHA.

Since most spambots do not execute JavaScript and can not identify the correlation between the displayed text and the DOM or required actions they can not click on the checkbox.

Please note that there is no checkbox at all, it is just a div element with some CSS styling. Spambots are trying to fill the form input elements, but there is no input in the CAPTCHA. The check mark is just another div (css class).

When you click on the box an ajax request notifies the server that the div was clicked and the server stores this information in a temporary storage (marks the token: this token was activated by a human). When you submit the form, a hidden field sends the token which was activated, then when the server validates the form information it will recognize that the token was activated. If the token is not activated, the form will be invalidated.

The steps in bullet points:

  • Generate a unique identifier and add it to the form with a hidden input
  • Render a checkbox on the site (without using the <input> element, possibly using <div>) and add the previously generated identifier to it (you can use the html5 data-* attributes)
  • When the user clicks on the checkbox, send an ajax request to the server and validate the CAPTCHA, if it is valid mark it as in use. (Show the result - identifier is OK/not OK - to the user)
  • When the user sends the form, the form's data contains the identifier. Check it once more, it should exist and it should be in in use state.
  • If all validations are passed, the form's data is ready to use/process

You can bind the identifier to the user's session, IP address, and/or you can use time limits to improve security.

NOTE This kind of CAPTCHA only works when the JavaScript is enabled!

NOTE (edit 1) As @crazypotato stated, there are some automation tools, which can execute JavaScript, these tools also capable to send the proper AJAX request and fire the Click event on the checkbox div.

NOTE (edit 2) Please note that a script written to specifically one site or to break one type of captcha will got through sooner or later. There is no ultimate protection, you can only make the bots (or their developers) work harder.

NOTE (edit 3) The steps and the description in this answer only contains some basic information about this type of captcha, you always have to add additional validations and security steps to make it more secure. For example, Google noCaptcha systematically fires a standard reCaptcha after 3 "div clicks".

Pred
  • 8,789
  • 3
  • 26
  • 46
  • 4
    I think the question is specifically about "How do I enable this feature with Google's reCAPTCHA?" I'm pretty confident I can implement this myself, but it's not that simple with their case. – Madara's Ghost Sep 02 '14 at 15:04
  • If you click Report a Problem on the bottom of a Streetview page you get the same new Recaptcha. That is where I first saw it and found this SO page when I went searching. – user2605793 Oct 18 '14 at 05:16
  • 1
    What would prevent a bot from sending that ajax request? If everyone (or a semi-large site) were to implement a CAPTCHA like this it would surely be exploited anyway. Cloudflare has a similar bot-detection system that seems to work without requiring the user to do anything. – Steen Schütt Nov 27 '14 at 23:35
  • First of all, I totally agree with your comment and yes, a bot written directly to exploit one site will got throught (and this is true for any kind of capthas). I started my post with `most bots` and not `all bots`. There are also solutions when the image based captcha breaker simply sends the image to a software and a human types in the characters (and the employe is payed by the count of successful posts). How would you prevent this? :) – Pred Nov 28 '14 at 00:14
  • 1
    @Pred "Spambots are trying to fill the form input elements, but there is no input in the CAPTCHA." That's pathetic. jackiechanface.jpg – crazypotato Dec 04 '14 at 09:52
  • @crazypotato Can you say that a css formatted div as an (x)HTML(5) input element? – Pred Dec 04 '14 at 09:54
  • It can be anything. If its display in browser, you can automate click on this. In your previously comment you say something similar. But in answer wat??? Also most "spambots" can "solve" ReCaptcha, cause they use external service like antigate(and you say about this too in comment). Also (not) funny thing i can't and don't want solve ReCaptcha, so sites with this dead for me. – crazypotato Dec 04 '14 at 10:21
  • Also about javascript. [Selenium](http://www.seleniumhq.org/) [Mozrepl](https://addons.mozilla.org/en/firefox/addon/mozrepl/) – crazypotato Dec 04 '14 at 10:34
  • You are right, and as I stated in a previos comment, a script/bot written to specificaly one site will probably broke any kind of protection sooner or later. Why do not you write an answer or edit mine with your additional info? – Pred Dec 04 '14 at 11:09
30

This is a beta API for reCAPTCHA. I gather this from the source of their JS API: https://www.google.com/recaptcha/api.js referencing "API2". And I also found this: http://jaswsinc.com/recaptcha-ads/ (archived) Apparently they did an invite-only beta of their "no CAPTCHA reCAPTCHA" So.... You probably won't be able to make it work on your site, yet. I can't find any information on opting into the beta, but if you search for "No CAPTCHA reCAPTCHA beta" you can see a number of people that have mentioned getting the email from Google for them to join.

If you find a place to get into the beta, please share! Otherwise it looks like public release is coming in 2015...

0xInfection
  • 2,676
  • 1
  • 19
  • 34
Ian M
  • 821
  • 7
  • 18
  • 1
    You *could* try to frankenstein something together using http://www.gstatic.com/recaptcha/api2/r20140903161709/recaptcha__en.js if you search for "g-recaptcha", "I'm not a robot" or "checkbox" you can find the code that is implementing it there. – Ian M Sep 09 '14 at 12:26
  • 3
    Excerpt from the email: `We expect to move all existing reCAPTCHA sites to the new API in 2015.` – Timothy Zorn Sep 11 '14 at 03:29
  • 1
    Here's Google's blog post announcing the new No CAPTCHA reCAPTCHA feature: http://googleonlinesecurity.blogspot.com/2014/12/are-you-robot-introducing-no-captcha.html – Nealvs Dec 03 '14 at 21:27
  • 4
    Where does this explain, how the new `No CAPTCHA reCAPTCHA` works? – Nikhil Girraj Jun 19 '15 at 11:55
  • @Nikhil_Girraj if you notice, this answer was written before the "No CAPTCHA reCAPTCHA" was public (almost a year ago), so it addresses that it was in closed beta, and explains it should be available in 2015 (now). The original questions asks nothing of how it works, for that, here is the official reCAPTCHA page: https://www.google.com/recaptcha/intro/index.html or see the post below. – Ian M Jun 19 '15 at 13:03
  • 5
    @NikhilGirraj, if you'd like to know **how *No CAPTCHA reCAPTCHA* works**, I point you to [this post](http://scraping.pro/no-captcha-recaptcha-challenge/). – Igor Savinkin Aug 27 '15 at 08:22
  • 1
    This answer is very outdated by now. – Simon Forsberg Nov 09 '16 at 16:19
  • @simon this answer was written when the latest recaptcha was still in closed beta. – Ian M Nov 09 '16 at 22:22
  • @IanM I know, that's why I downvoted and added my comment. Today this answer does not provide much value. – Simon Forsberg Nov 10 '16 at 08:04
  • And the question is no longer relevant. This answer was correctly given for the question. – Ian M Nov 10 '16 at 08:06
8

Here is my code running without problem in PHP:

Client Side:

<div class="g-recaptcha" data-sitekey="PUBLIC_KEY"></div>

Server Side:

if (isset($_POST['g-recaptcha-response'])) {
    $captcha = $_POST['g-recaptcha-response'];
    $privatekey = "SECRET_KEY";
    $url = 'https://www.google.com/recaptcha/api/siteverify';
    $data = array(
        'secret' => $privatekey,
        'response' => $captcha,
        'remoteip' => $_SERVER['REMOTE_ADDR']
    );

    $curlConfig = array(
        CURLOPT_URL => $url,
        CURLOPT_POST => true,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_POSTFIELDS => $data
    );

    $ch = curl_init();
    curl_setopt_array($ch, $curlConfig);
    $response = curl_exec($ch);
    curl_close($ch);
}

$jsonResponse = json_decode($response);

if ($jsonResponse->success == "true")
    doSomething();
else
    doSomeOtherThing();

:)

ismaestro
  • 7,561
  • 8
  • 37
  • 50
  • haven't you left out some parts of the client side / html code? just asking because in your PHP code you're checking against a post named `g-recaptcha-response` but no such element is defined in your client side code... am I missing something? – benomatis May 03 '16 at 19:42
  • @benomatis It's my understanding that `g-recaptcha-response` is the response returned by reCAPTCHA - it seems that if it's populated, the captcha was successfully passed (by the user). – Hashim Aziz Dec 28 '21 at 20:33
  • [Confirmed](https://developers.google.com/recaptcha/docs/verify) with a bit of searching. – Hashim Aziz Dec 28 '21 at 20:34
5

I came here in my search, did not see an answer, and so I kept searching.

After my search, this window was still open, so I am updating this post with my findings.

Here is where you can learn about reCAPTCHA:

http://scraping.pro/no-captcha-recaptcha-challenge/

Basically, though, you add this to your web page:

<script src="https://www.google.com/recaptcha/api.js" >;
<form method="post">
    <div class="g-recaptcha" data-sitekey="[site key issued by google]"></div>
    <input value="submit" type="submit" />
</form>

To get your reCAPTCHA keys, go to this Google site:

https://www.google.com/recaptcha/intro/index.html

Once you have your keys using the link above, you can get deeper into the coding of this using the following Google information:

https://developers.google.com/recaptcha/

NOTE:

From the Google documentation:

The script must be loaded using the HTTPS protocol and can be included from any point on the page without restriction.

Here is an example of how I got it to work:

<html>
<head>
    <title>Contact</title>
    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
    <script>
    var onloadCallback = function () {
        grecaptcha.render('dvCaptcha', {
            'sitekey': '<%=ReCaptcha_Key %>',
            'callback': function (response) {
                $.ajax({
                    type: "POST",
                    url: "CS.aspx/VerifyCaptcha",
                    data: "{response: '" + response + "'}",
                    contentType: "application/json; charset=utf-8",
                    dataType: "json",
                    success: function (r) {
                        var captchaResponse = jQuery.parseJSON(r.d);
                        if (captchaResponse.success) {
                            $("[id*=txtCaptcha]").val(captchaResponse.success);
                            $("[id*=lblAlarm]").hide();
                        } else {
                            $("[id*=txtCaptcha]").val("");
                            $("[id*=lblAlarm]").show();
                            var error = captchaResponse["error-codes"][0];
                            $("[id*=lblAlarm]").html("RECaptcha error. " + error);
                        }
                    }
                });
            }
        });
    };
    </script>
</head>
<body>
    <form action="?" method="POST">
        <div id="dvCaptcha" class="g-recaptcha" data-sitekey="[site key issued by google]"></div>
        <br />
        <asp:Button ID="btnSubmit" runat="Server" Text="Send" OnClick="btnSubmit_Click" />
        <asp:Label ID="lblAlarm" runat="server" ForeColor="Red"></asp:Label>
    </form>
</body>
</html>

If you need to validate in the ASP.NET code-behind, simply verify the "g-recaptcha-response" control is filled in:

protected static string ReCaptcha_Key, ReCaptcha_Secret;

protected void btnSubmit_Click(object sender, EventArgs e)
{
    if (!String.IsNullOrEmpty(Request.Form["g-recaptcha-response"]))
    {
        // other code
    } else
    {
       lblAlarm.Text = "reCAPTCHA failed.";
    }
}

Hopefully, some of you find this useful.

3

Thank you all for your contribution to this thread, it's great to see so many people interested in the new recaptcha tool.

I couldn't find a .net implementation of it, so have built a simple web forms control, that you can find here https://github.com/pnmcosta/recaptchav2dotnet

demonplus
  • 5,613
  • 12
  • 49
  • 68
Pedro Costa
  • 2,968
  • 2
  • 18
  • 30