22

Google has rolled out reCAPTCHA v3. It does away with all the user friction. I wish to use it to secure my site. However, I am unsure about how this is going to protect my site. What if a hacker spams the URLs on my site with an external tool without using the interface I provide? How is reCAPTCHA v3 going to stop that?

Chong Lip Phang
  • 8,755
  • 5
  • 65
  • 100
  • 1
    Note that Google *intends* it to be lower-friction but that's not always the case. For example, my browser is hardened against tracking and fingerprinting, and, as a result, it can take up to a minute of clicking through CAPTCHAs before reCAPTCHA lets me through. (A trade-off I'm willing to accept if I must. Google already knows enough about me as-is.) – ssokolow Jul 13 '19 at 13:24

3 Answers3

25

How is reCAPTCHA v3 going to stop [Spam] ?

There are various heuristics which can be used to detect automated systems, such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, among many others. Google seems to use some of them. If uncertain, a challenge gets shown.

What if a hacker spams the URLs on my site with an external tool without using the interface I provide?

Google generates a token for the client when they pass the checks which you have to validate on the serverside. If someone doesn't pass the CAPTCHA (a robot), they do not have a token.

Jonas Wilms
  • 132,000
  • 20
  • 149
  • 151
  • In theory it is beautiful. In reality it is ugly, reCAPTCHA v3 is harmful, the worst user experience you can give for a user trying to use your website. – barbolo Nov 28 '19 at 11:22
  • 5
    @barbolo v3 is unobtrusive, so what makes it the worst user experience? – christopher.theagen Dec 12 '19 at 21:55
  • 1
    @cthorpe It's interesting that Google (Youtube) doesn't use V3. It uses v2 (for retrieving user emails). V3 will load on page load, even if the user never interacts with the form. V2 can be set up to be loaded on demand, thus reducing initial page load. V3 doesn't work like this. Thus, in terms of user experience, loading the V3 on every page load can cause unnecessary delays that V2 might not have. – Jarom Jan 28 '20 at 17:59
  • @Jarom, the v3 docs specifically say "make sure to call execute when the user takes the action rather than on page load". v3 can and should be loaded on demand just like v2. – OfficeAddinDev Jul 30 '20 at 22:35
  • @officeAddinDev what does "load" mean for you? What does calling execute do, do you know? – Jonas Wilms Jul 30 '20 at 23:03
  • 1
    @OfficeAddinDev The script loads on page load regardless, but the token expires after two minutes and should be called on execute instead of page load. See the documentation: https://developers.google.com/recaptcha/docs/v3. The V3 script is always loaded up front (which causes problems with page load times as I mentioned), but V2 can be loaded and called on demand. – Jarom Aug 03 '20 at 16:41
  • Both v2 and v3 are spyware, like most Google products. – DylanYoung Jul 15 '22 at 19:49
11

In addition to the user behavior tracking on your site (as explained by Jonas Wilms), the v3 (and v2) also makes decisions based on your IP, ASN, browser and any kind of information about your system based on the information sent via your HTTP request.

The only difference is that V2 is a complete solution i.e, if it thinks a user may be a bot, it will pose additional challenges until it is convinced the user is a human. On the other hand, V3 is non-intrusive. It generates a score based on the parameters discussed above and passes it onto you. It is then your decision to take appropriate steps (like post challenges, or have two-factor authentication, etc.) based on this score.

IMO, it is better to start with a V2 solution and implement V3 if you want more control or have a better way to challenge the user if they have a low score.

(Here is an interesting article on the differences)

nitarshs
  • 173
  • 2
  • 10
0

In few simple words google tracks your whole cursor and keyboard movement from moving mouse to select form fields to pressing tab to change fields.

To verify reCAPTCHA is working or not --> Submit a form and then click refresh; it would ask for re-submission. Click continue. But as this is a way much similar to Robot activity of submitting a form without any cursor of keyboard movements, reCAPTCHA will prevent form submission or any other stuff from happenning.

Guryash Singh
  • 49
  • 5