Topic: Captcha bypass (Read 2157 times)
Captcha bypass appears to be broken?
I have a guide video on this, not too good in quality but it might help for newbies, who are not familiar with the forum structure and its operations.
https://www.youtube.com/watch?v=k0kBvOXizhg&feature=youtu.be
The most important thing when one uses captcha bypass code is keep the code in secret and secure it as best as possible. Losing the code will result in risks of account hack. If one unintentionally disclose captcha code, using the reset to get a new one + change password to a new one.
https://www.youtube.com/watch?v=k0kBvOXizhg&feature=youtu.be
The most important thing when one uses captcha bypass code is keep the code in secret and secure it as best as possible. Losing the code will result in risks of account hack. If one unintentionally disclose captcha code, using the reset to get a new one + change password to a new one.
When I created an account to use for testing automated scripts, I used the following procedure:
-Create account*
-login first time*
-obtain captcha bypass link
-logout
-login all subsequent times using bypass link
The steps with a * above require solving a captcha, so you need to solve once twice and never need to solve one after the second one.
-Create account*
-login first time*
-obtain captcha bypass link
-logout
-login all subsequent times using bypass link
The steps with a * above require solving a captcha, so you need to solve once twice and never need to solve one after the second one.
Is there a reason that the site couldn't use an old login cookie to let you bypass the captcha for the same account only and get upto one wrong password?
I can't answer this question, but with the right cookie set, I never have to login, thus never see the captcha. This even works on Tor, as long as you allow cookies.So I assume the captcha bypass is mainly for Tor users who don't want to use cookies, although I use it (without Tor) when I use LoyceMobile in a private browser (I don't logout LoyceV).
I just discovered this captcha bypass and it 90% answers what I wanted... but since it's not 100%:
Is there a reason that the site couldn't use an old login cookie to let you bypass the captcha for the same account only and get upto one wrong password?
This way a user that enters their password successfully doesn't ever need to captcha again after the initial sign-up. There would also be no risk of losing control of the cookie, since it will only allow one unsuccessful captcha-free login per successful login to the same account.
[I find the captcha a nuisance because I have to temporarily disable third party script blocking, plus I sometimes fail to be human enough for it...]
Is there a reason that the site couldn't use an old login cookie to let you bypass the captcha for the same account only and get upto one wrong password?
This way a user that enters their password successfully doesn't ever need to captcha again after the initial sign-up. There would also be no risk of losing control of the cookie, since it will only allow one unsuccessful captcha-free login per successful login to the same account.
[I find the captcha a nuisance because I have to temporarily disable third party script blocking, plus I sometimes fail to be human enough for it...]
Yes, Essentially CAPTCHA can prevent spam from robots, but sometimes it sucks the user himself, especially for the blind this is a pity. CAPTCHA is hard to read.
On the other hand the CAPTCHA works correctly preventing bots, for that there are quite a lot of services that provide automatic CAPTCHAs such as bypassing CAPTCHAs.
I hope this can solve the constant CAPTCHA problem in the web browser, and hope for ways to bypass it by completing it automatically and well, thanks @themmos for this.
On the other hand the CAPTCHA works correctly preventing bots, for that there are quite a lot of services that provide automatic CAPTCHAs such as bypassing CAPTCHAs.
I hope this can solve the constant CAPTCHA problem in the web browser, and hope for ways to bypass it by completing it automatically and well, thanks @themmos for this.
CAPTCHAs generally have a tolerance towards mini typos. So even if you entered "noclick" or "nodick", it'd still let you pass thru
Yes, Essentially CAPTCHA can prevent spam from robots, but sometimes it sucks the user himself, especially for the blind this is a pity. CAPTCHA is hard to read.
On the other hand the CAPTCHA works correctly preventing bots, for that there are quite a lot of services that provide automatic CAPTCHAs such as bypassing CAPTCHAs.
I hope this can solve the constant CAPTCHA problem in the web browser, and hope for ways to bypass it by completing it automatically and well, thanks @themmos for this.
On the other hand the CAPTCHA works correctly preventing bots, for that there are quite a lot of services that provide automatic CAPTCHAs such as bypassing CAPTCHAs.
I hope this can solve the constant CAPTCHA problem in the web browser, and hope for ways to bypass it by completing it automatically and well, thanks @themmos for this.
Personally, I think more should be done to make TOR users have to jump through hoops to access the forum, not the other way around. This is probably outstanding news to those who use alt accounts regularly though.
The administration does not do anything about alt accounts, even those of scammers well over 99% of the time, and does not even put much effort into finding alt accounts of banned users. Also, it is possible to find alt accounts that are all using TOR, even if they are taking a lot of precautions against detection.
Personally, I think more should be done to make TOR users have to jump through hoops to access the forum, not the other way around. This is probably outstanding news to those who use alt accounts regularly though.
I guess you didn't see this:
Yeah, I didn't see it. I also tried it by myself as @UserU do and it showed the same message as him. We have to log in first to get the captcha code. I guess you didn't see this:
I tested it, and it showed "You have to login first".
Maybe theymos could just add SolveMedia to alleviate the whole thingy.
It is very useful for me, I don't need to deal with captcha 3-10 times in a day anymore. Thanks @theymos
I guess you didn't see this:
Bump
I know maybe it's not the newest update on bitcointalk, but I just read it recently. Thanks to @LoyceV for bumping this topic [GUIDES] on Bitcointalk. Index thread because of that I can found it.
It is very useful for me, I don't need to deal with captcha 3-10 times in a day anymore. Thanks @theymos
And from my sight, it doesn't have high traffic views. So I translated it to my native language with my comprehension to share it on my local board. I'll be glad if you want to visit on my thread here
I know maybe it's not the newest update on bitcointalk, but I just read it recently. Thanks to @LoyceV for bumping this topic [GUIDES] on Bitcointalk. Index thread because of that I can found it.
It is very useful for me, I don't need to deal with captcha 3-10 times in a day anymore. Thanks @theymos
And from my sight, it doesn't have high traffic views. So I translated it to my native language with my comprehension to share it on my local board. I'll be glad if you want to visit on my thread here
Perhaps a solution would be to invalidate the code after xxx number of consecutive attempts to login to an account not associated with the code.
Shouldn't that be implemented for incorrect passwords too? If you fail more than 10 times, you should get a captcha again. That also stops any brute-force attack in case your unique link is leaked:Quote from: https://bitcointalk.org/captcha_code.php
If someone else gains access to your unique captcha-bypass link, then they could try to brute-force your password. In that case, you should reset it:
My login code (that I have since reset) is 893f4e9d4e171dc97db6 -- If someone were to know that someone uses this code, they could attempt to login using every username until they don't get an error message anymore, then bruteforce my password.
Another solution might be to only give the error message for the first xxx consecutive attempts to login to an account not associated with the code but keep the code active. This would prevent an attacker forcing someone to use the captcha while reducing the risk that an attacker could use a captcha bypass code to first bruteforce which account it is associated with and then bruteforce the PW
Perhaps a solution would be to invalidate the code after xxx number of consecutive attempts to login to an account not associated with the code.
Shouldn't that be implemented for incorrect passwords too? If you fail more than 10 times, you should get a captcha again. That also stops any brute-force attack in case your unique link is leaked:Quote from: https://bitcointalk.org/captcha_code.php
If someone else gains access to your unique captcha-bypass link, then they could try to brute-force your password. In that case, you should reset it:
Another Q - This captcha bypass link.
If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?
It looks like you will get an error message if you try to login using a link that is not associated with the account you are trying to login to. You could presumably brute force which account is associated with a code by trying to login to every account until you no longer get an error message. I suspect theymos would detect this and invalidate the code before someone could try many accounts. If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?
OH DAMN
For all other accounts it gives "invalid code" with incorrect password.
For the correct account it gives "invalid password" with incorrect password.
It lets you try as fast as you can too.
It would be easy to brute force if you had a list of suspects, even the list of active accounts isn't that many if you use a bot.
Bug?
Perhaps a solution would be to invalidate the code after xxx number of consecutive attempts to login to an account not associated with the code.
Another Q - This captcha bypass link.
If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?
It looks like you will get an error message if you try to login using a link that is not associated with the account you are trying to login to. You could presumably brute force which account is associated with a code by trying to login to every account until you no longer get an error message. I suspect theymos would detect this and invalidate the code before someone could try many accounts. If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?
OH DAMN
For all other accounts it gives "invalid code" with incorrect password.
For the correct account it gives "invalid password" with incorrect password.
It lets you try as fast as you can too.
It would be easy to brute force if you had a list of suspects, even the list of active accounts isn't that many if you use a bot.
Bug?
Another Q - This captcha bypass link.
If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?
It looks like you will get an error message if you try to login using a link that is not associated with the account you are trying to login to. You could presumably brute force which account is associated with a code by trying to login to every account until you no longer get an error message. I suspect theymos would detect this and invalidate the code before someone could try many accounts. If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?
I FINALLY BEAT GOOGLE!!!
You can register if you try a bajillion times. It does eventually let you in after an hour of training the self driving cars/skynet killbots.
I expected to be hit by an evil fee but their was no mention of it. Is that still a thing or did I get lucky and happen to be on a rare IP?
Another Q - This captcha bypass link.
If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?
You can register if you try a bajillion times. It does eventually let you in after an hour of training the self driving cars/skynet killbots.
I expected to be hit by an evil fee but their was no mention of it. Is that still a thing or did I get lucky and happen to be on a rare IP?
Another Q - This captcha bypass link.
If someone were to find my link in a file would they be able to figure out what account is related to that link short of subpoenaing Theymos?
Such a wonderful improvement! Last time I was active I just didn't want to get in because of such annoying captcha.
Jump to: