How does Google's reCAPTCHA v3 work?

Chong Lip Phang picture Chong Lip Phang · Jul 4, 2018 · Viewed 17k times · Source

Google has rolled out reCAPTCHA v3. It does away with all user the friction. I wish to use it to secure my site. However, I am unsure about how this is going to protect my site. What if a hacker spams the URLs on my site with an external tool without using the interface I provide? How is reCAPTCHA v3 going to stop that?

Answer

Jonas Wilms picture Jonas Wilms · Jul 4, 2018

How is reCAPTCHA v3 going to stop [Spam] ?

There are various heuristics which can be used to detect automated systems, such as the number of requests coming from a certain IP, browser fingerprinting, Google account cookies, among many others. Google seems to use some of them. If uncertain, a challenge gets shown.

What if a hacker spams the URLs on my site with an external tool without using the interface I provide?

Google generates a token for the client when they pass the checks which you have to validate on the serverside. If someone doesn't pass the CAPTCHA (a robot), they do not have a token.