Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How websites like Facebook are protected against bot without any captcha

How websites like Facebook and Twitter are protected against bot during registration? I mean, there's no captcha at all on the signup form?

I want to create a signup form for a project, and I don't want bot during registration and Captchas are often ugly..

edit: My question is really during the registration because I know Facebook uses Captchas once registred for the first time.

like image 802
Pier-Alexandre Bouchard Avatar asked Mar 27 '13 15:03

Pier-Alexandre Bouchard


People also ask

Can bots bypass CAPTCHA?

In short, yes they can. While reCAPTCHA v2 and v3 can help limit simple bot traffic, both versions come with several problems: User experience suffers, as human users hate the image/audio recognition challenges. CAPTCHA farms and advances in AI allow cybercriminals and advanced bots to bypass reCAPTCHAs easily.

Does Facebook use CAPTCHA?

When users try to send or post these, we put up a captcha for them to solve.


2 Answers

Facebook uses some sort of hidden spam protection, if you view source of sign-up form you will see things like:

class="hidden_elem"><div class="fsl fwb">Security Check</div>This is a standard security test that we use to prevent spammers from creating fake accounts and spamming users.

so capture becomes visible when javascript will think that you are a bot.

Where is few methods of making it harder for bots to complete registration without capture, things like timing to fill out form, originators of mouse clicks events ect. also random session based values in form (to privent direct submissions without downloading of the form first)

also some people use hidden form elements with common names like 'email' that is styled invisible in css but common simple bots will try to fill out all form fields and so you can block them if this hidden element have any value

twitter and fb spend lot of time on developing tecniques to block spammers i don't think they will made it public as it will be counter productive for them to fight the spammers.

But all the client side javascripts you can download from fb or twitter and study them if you want, because most of the protection will happen inside client not on server.

server could only issue some random session variable, check for valid headers in request, overall time etc. its really limited.

some sites are also use ajax exchanges between server and client during the time when user is filling out the form , mostly just to make it harder for bot developer to do simular fake exchanges of data.

Anyway, unfortunatelly where is no easy solution to do decent protection , espesially without captcha or some kind of question

also, for submit button you can use image map instead of button, you can dynamically create big image with a submit botton image drawn on it at random position using things like GDI in PHP and using css to display only portion of that image with the actuall button, and on server side check X and Y position of where mouse was clicked, this will be hard for bots to break. Unless they use real browsers and just emulate keyboard and mouse. Anyway , as i said unfortunatelly where is no easy solution.

like image 136
Alex Novikov Avatar answered Oct 23 '22 06:10

Alex Novikov


One way would be to send a verification to the user's email address or cell phone and obtain verification (so in that case, you would have to allow only one email address or cell phone per account)

Another option is to use "Negative CAPTCHA" or "Honeypot Captcha"

like image 34
Csharp Avatar answered Oct 23 '22 07:10

Csharp