Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does google reCAPTCHA v3 score drop after many requests?

I would expect recaptcha v3's score to drop if a user (or bot) repeated does the same thing, however that doesn't seem to be the case.

Here's a brief extract from my logs while I try different passwords at login on a site I'm building.

2018-07-19T17:24:04.580129+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:08.764677+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:11.441256+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:14.697840+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:17.074292+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:19.477029+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:24:21.962033+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:25:14.458404+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:25:18.515887+00:00: grecaptcha success, score=0.900, action=login_password
2018-07-19T17:25:21.599782+00:00: grecaptcha success, score=0.900, action=login_password

Is this a problem with v3 in beta, would the score drop if I tried a lot more times (hundreds) or is the score constant for a given session regardless of user behaviour?

Sorry if this is too product specific, but google don't seem to suggest anywhere better to ask such questions and they often do recommend SO.

like image 900
SColvin Avatar asked Jul 19 '18 17:07

SColvin


1 Answers

well, i have tested recaptcha v3 in many ways....

good things are:

  • Most of embedded browsers unable to pass its all security checks (so far i haven't found the one) but real browsers like, internet explorer, Firefox, safari, chrome etc etc can easily passes all checks.
  • It don't require user input or interaction, so, user experience on your website remains the same.

Bad things are:

  • If you try to solve captcha when you are not logged in to your google account than score returned by recaptcha will be lower than the one when you logged in to your google account in browser
  • after like 50 requests google keep sending lower score like 0.3-0.5 even if you are human (and right now, any one can open 50 pages within 10mint due to high end devices, internet speed etc etc)
  • it seems like google blocking user ip address, means, if your score for website A is 0.3 than you will most likely get 0.3 score for website B as well. That means, if you spam website having recaptcha v3 than you get spammer for whole websites having recaptcha v3 (its a bad thing for website owner because spammer for one website can be a good customer for another one)

Update (21/08/2019)

  • Recaptcha v3 is a bit updated now, and now you can consider score equal or lower than 0.3 as spam (that score received if end user doing some automation over your website or doing some scripting task)
  • All legit users get 0.9-0.7 score but it is still returning 0.3 score sometimes to legit users but on refresh it automatically get fixed and user get proper score but still its a bug or something went wrong with scoring. So, its better to check if score <= 0.3 than its spam, otherwise not.

Update (13/02/2021)

  • Recaptcha V3 study web page by monitoring user interaction with it and give scores accordingly, means if your site get many spam requests than its obvious that any legit user will get spam/lower score, which makes recaptcha v3 useless to use over site having higher spam rate.
  • Recaptcha v3 is now better than before, so, you can mark request as spam if score is lower than 0.5 (which was 0.3 before)
like image 181
hsCode Avatar answered Sep 21 '22 00:09

hsCode