ReCaptcha - Chrome Hidding Extensions

Question

Hearing that ReCaptcha can read all the extensions (or tampermonkey scripts) someone has on his pc, is there any way to evade this? Any type of script or piece of code or settings.

This theory was confirmed: Once I login into any site with Chrome Automation Extension, I get flagged immediately. Even tho it just exposes an API of Chrome Options for another task that has nothing to do with recaptcha. Just loading any webpage(site) with ReCaptcha will trigger the captcha.

Here's the background.js, How change it to be unnoticeable to other apps?

// Copyright (c) 2013 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

/*
 * Checks for an extension error that occurred during the asynchronous call.
 * If an error occurs, will invoke the error callback and throw an exception.
 *
 * @param {function(!Error)} errCallback The callback to invoke for error
 *     reporting.
 */
function checkForExtensionError(errCallback) {
  if (typeof(chrome.extension.lastError) != 'undefined') {
    var error = new Error(chrome.extension.lastError.message);
    errCallback(error);
    throw error;
  }
}

/**
 * Captures a screenshot of the visible tab.
 *
 * @param {function(string)} callback The callback to invoke with the base64
 *     encoded PNG.
 * @param {function(!Error)} errCallback The callback to invoke for error
 *     reporting.
 */
function captureScreenshot(callback, errCallback) {
  chrome.tabs.captureVisibleTab({format:'png'}, function(dataUrl) {
    if (chrome.extension.lastError &&
        chrome.extension.lastError.message.indexOf('permission') != -1) {
      var error = new Error(chrome.extension.lastError.message);
      error.code = 103;  // kForbidden
      errCallback(error);
      return;
    }
    checkForExtensionError(errCallback);
    var base64 = ';base64,';
    callback(dataUrl.substr(dataUrl.indexOf(base64) + base64.length))
  });
}

/**
 * Launches an app with the specified id.
 *
 * @param {string} id The ID of the app to launch.
 * @param {function()} callback Invoked when the launch event is complete.
 * @param {function(!Error)} errCallback The callback to invoke for error
 *     reporting.
 */
function launchApp(id, callback, errCallback) {
  chrome.management.launchApp(id, function() {
    checkForExtensionError(errCallback);
    callback();
  });
}

MANIFEST:

{
  "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDr+Q7QFcTr4Wmn9sSICKWbxnYLhIM0ERbcapZCDmpAkiBUhOPt+KkYnTdUFl4Kx2xv02MwIowh36Fho9Dhqh7cPWGIPsLHUaJosO6t6oaHxQsMQS/K4MlnP5pNJykExo82DcajSXGV+mIQH3RslxL+XhtmIh2BQLwbizVG0bA+mwIDAQAB",
  "name": "Chrome Automation Extension",
  "version": "1",
  "manifest_version": 2,
  "description": "Exposes extension APIs for automating Chrome",
  "background": {
    "scripts": ["background.js"]
  },
  "permissions": [
     "tabs", "management", "<all_urls>"
  ]
}

Answer 1

You can read a lot of information about reCaptcha and how to cheat it from this pdf. I’m not a human: Breaking the Google reCAPTCHA

Google reCaptcha checks malicious actions using these details:

• Browsing History
• Browser Environment
• Canvas Rendering
• Screen Resolution and Mouse
• User-Agent

If anything is wrong (eg: browser version is not matched with user agent or suspicious mouse move was detected) reCaptcha requires verification.

PS: Actually I think recaptcha doesn't look for extensions (also it's not possible, because browsers don't give permission to list extensions), except it can detect if any extension has injected suspicious code to the website.

You can also check the de-obfuscated source code of reCaptcha here.