Way to skip reCAPTCHA images challenge

elegant-user picture elegant-user · Aug 18, 2017 · Viewed 42.3k times · Source

I am implementing reCAPTCHA on one of my websites and I have successfully implemented it. It is working fine. Sometime the reCAPTCHA gets completed only by clicking the "I'm not a Robot" but sometimes it shows the images grid to select the correct images and complete the captcha.

I was just wondering if this possible or not. Can we disable the images selection challenge so the reCAPTCHA can be completed only by clicking the "I'm not a Robot". What is the theory of Google for showing the images grid?

I have already read this : Prevent reCaptcha multiple image selections but there is not enough information there.

Thanks!

I have included recaptcha/api.js below.

<script src="https://www.google.com/recaptcha/api.js?onload=onloadCallbackAuto&render=explicit&hl=<?php echo $lang;?>" async defer >

My reCAPTCHA code is below:

    var onloadCallbackAuto = function() {
         /// do something....
    }
    var verifyCallback = function() {
         /// do something....
    }
    grecaptcha.render('gReCaptchaDiv', {
     'sitekey' : '<?php echo $siteKey;?>',
     'callback' : verifyCallback,
     'theme' : 'light'
    });

Answer

Christos Lytras picture Christos Lytras · Aug 24, 2017

The new Google reCaptcha implements some sophisticated algorithms to decide if there is a real user or not. Some methods used are detection of request repeatedness (if there is a request repeating again and again in a small time period from one particular source), time counting (how long time passed since when the script was initialized), cursor events (like moving and clicking), scroll events, javascript common events triggering and XHR calls.

All these and many more methods, combine the invisible reCaptcha and in the case of the Checkbox reCaptcha, some of these detection methods get to trigger as well. If the algorithm detects something unusual for a human user, for example, clicking on the reCaptcha checkbox without the mousemove event to get triggered, then that will not evaluate to a human result and thus reCaptcha has to rely on something else to ensure that there is a human doing stuff and not a script bot.

The answer is that you cannot avoid it. If the basic reCaptcha method fails then it has to do something to provide protection.

Keep in mind that the users of your application will not see the images method very often like you do. I guess that you're doing some testing and trying the same things again and again after doing some code updates, thus you get the reCaptcha failing more often due to the repeatedness from the same source.