Privacybadger: Privacy Badger breaks reCAPTCHA

This seems like a high profile, persistent issue. Here are the report counts by month of reports where the user uses the word "recaptcha" in the message:

| ym      | count(*) |
+---------+----------+
| 2017-09 |       32 |
| 2017-08 |       21 |
| 2017-07 |       18 |
| 2017-06 |       15 |
| 2017-05 |       18 |
| 2017-04 |       22 |
| 2017-03 |       37 |
| 2017-02 |       25 |
| 2017-01 |       20 |
| 2016-12 |       18 |
| 2016-11 |        1 |
| 2016-10 |        5 |
| 2016-09 |        8 |
| 2016-08 |        6 |
| 2016-07 |        3 |
| 2016-06 |        8 |
| 2016-05 |        1 |
| 2016-04 |        1 |
| 2016-02 |        2 |
| 2016-01 |        1 |
| 2015-11 |        3 |
| 2015-10 |        3 |
| 2015-09 |        3 |
| 2015-08 |        4 |
+---------+----------+

I visited a few page URLs, but haven't yet seen Privacy Badger learn to block gstatic.com (or whatever domains reCAPTCHA depends on).

Here's a webpage that one could try to reproduce the problem on: https://www.codeweavers.com/about/contact-us

However, possibly (I don't know) the page may generate a captcha only when it detects a proxy and/or VPN.

I am having this problem all over the web. There is no placeholder where I can even see the reCAPTCHA was supposed to be. Signing up for things with Privacy Badger enabled is impossible. You can test this for example: https://www.dailykos.com/users/signup. I do use a VPN at all times as well as self-destructing cookies.

Same issue - PrivacyBadger breaking ReCaptcha form submission on many sites. It took me a while to determine that ReCaptcha was the problem.
Example: https://www.2-harvest.org/contact/

And those capchas, with their near-unsolvable conundra - does a quarter of a sign-post count as a signpost? Is a van a 'car'? - are irritating enough already!

Another example that is broken. https://www.burpee.com/contactus. I slid "www.google.com" to yellow and it seems to allow enough to let the CAPTCHA to work

Another example: https://blog.0patch.com/2018/01/bringing-abandoned-equation-editor-back.html#comment-form

On 32-bit Firefox v 59.0.2 with Privacy Badger 2018.4.23 installed, publishing or previewing a comment results in the blog page just reloading, effectively just clearing out the comment you wrote. Feel free to test, this is our blog and we have moderation enabled so you won't be littering.

i am able to see the recaptcha thing, but when i check "i'm not a robot" it always asks me to identify "which of these tiles has a car in it" or some such nonsense. even if i SOLVE it and it accepts me as human, if i just refresh the page and check "i'm not a robot" again, i have to RE-SOLVE yet an other "identify this thing" puzzle. please can't you just whitelist the sites google uses for recaptcha? disabling the badger on the site makes the checkbox alone work. using firefox (latest, mac)

Is this issue being worked on? It is very irritating to have to disable Privacy Badger ever time I encounter reCAPTCHA

Hi @szock, is Privacy Badger blocking www.google.com or any other google.com domains when this happens? Does setting those domains to "yellow" or "green" and reloading the page work around the problem?

I imagine that many using Privacy Badger would hesitate from whitelisting one of the biggest tracking companies on the Web...

Is there a specific subdomain used by reCAPTCHA?
On 24 Nov 2018, 15:31 +1100, Alexei notifications@github.com, wrote:

Hi @szock, is Privacy Badger blocking www.google.com or any other google.com domains when this happens? Does setting those domains to "yellow" or "green" and reloading the page work around the problem?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.

I've been looking through error reports ("Did Privacy Badger break this site? Let us know!"), and what I see is many reports have users manually blocking www.google.com or www.gstatic.com. So this tells me this issue falls under #2021.

Can anybody reproduce reCAPTCHA breaking if you undo your slider modifications (or start with a new profile)?

@ghostwords just tried all the urls and I can only get the recaptcha to break by manually blocking gstatic.com or Google.com.

I also have tested as @davecotter suggested. It seems that changing google.com from yellow (where my badger has decided it should be) to green manually allows recaptcha to track my movement and other data on the screen to decide i'm human. Without it, it asks me every time to do a check.

Let me know if you want any other checks doing to help out with this.

I know this is a bit stale at this point, but the last few weeks I've noticed I fail every single ReCapatcha, luckily I found this issue. Sure enough I looked in the options and a TON of Google stuff was set to Block. I set it to Allow and I did a few tests and it works now. I wonder if this could be a little more obvious for a user to discover, as yes, Google does a lot of tracking, but it's also used in a lot of sites, so let the user choose. But suddenly failing every ReCaptcha and struggling to "click all the crosswalks" when every picture is a road with no crosswork is infuriating.

i also partly suffer from this issue... and as @monkeydont said:

There is no placeholder where I can even see the reCAPTCHA was supposed to be.

this makes it at first or for casual users pretty hard to guess what's wrong. :slightly_frowning_face:

in my case i faced this error at this site (please make sure you are at the correct site and not got redirected!) which does not connect to sooo much other domains, so perhaps it may be easier to nail down the error...
btw: like @RemakingEden i tried the mentioned sites at this issue but saw most of the reCAPTCHA with no problem.

@ghostwords i try to summarize my findings, but if additional information is needed please just ask!

is Privacy Badger blocking www.google.com or any other google.com domains when this happens?

yes, the only not green domain at Privacy Badger is www.google.com, which is automatically set to red.
after manually setting www.google.com to yellow to work around this issue and reloading the site, google.com gets additionally listed at Privacy Badger.

Does setting those domains to "yellow" or "green" and reloading the page work around the problem?

yes, setting it manually to yellow works like a charm... but this also sets a ton of subdomains to yellow which i even can't revert to automatic controled by Privacy Badger one by one. :slightly_frowning_face:

Can anybody reproduce reCAPTCHA breaking if you undo your slider modifications (or start with a new profile)?

yes, i don't use any manual slider modifications.

completing:

• it seems this is the only site i noticed this issue and at other sites reCAPTCHA works flawless (because www.google.com is automatically just set to yellow)... :thinking:
• i'm additionally using uBlockO, but de-/activating it does not change anything (regarding reCAPTCHA).

Hi @DJCrashdummy, thanks for your report! The reCAPTCHA on the page you shared comes from google.com (which Privacy Badger blocks), as opposed to www.google.com (which Privacy Badger "cookieblocks"). So you found an example where reCAPTCHA is broken by default.

I opened #2512 to eventually add a replacement widget for reCAPTCHA. The idea is to fix your example page and others like it by providing a clearly visible clickable replacement. This will also provide a replacement to users who told Privacy Badger to block www.google.com.

It's not clear what other scenarios beyond these two (reCAPTCHA from google.com / user blocks www.google.com), if any, cause reCAPTCHA breakage.

@ghostwords it seems to me, that sadly nothing has changed with version 2020.5.12... i still don't see any reCAPTCHA nor a hint/replacement at my example (https://github.com/EFForg/privacybadger/issues/1542#issuecomment-548927471). :thinking:

I am unable to access the link in https://github.com/EFForg/privacybadger/issues/1542#issuecomment-548927471:

This page isn’t working
ddl-music.to didn’t send any data.
ERR_EMPTY_RESPONSE

sorry, my bad! :facepalm: i didn't notice that the replacing (social media) widgets was expanded with much more functions... and now also reCAPTCHA! :tada:

i had it always deactivated, because i block social media widgets completely via uBlockO... and some time ago although blocking it completely via uBlockO, privacy badger added his widgets to the sites, which annoyed me because i don't need something blocked to be replaced... :unamused:

after activating the widget replacement, seeing the replacement and enabling it once worked like a charm. :clap:

btw @ghostwords: wouldn't a list with check-boxes be much more selfexplaining and easier to handle for the exceptions of the widget replacement. - resp, i wouldn't make them "the exception from the exception", but rather make a list with check-boxes and block all checked ones (since the tab in the settings is called widget replacement)... so it would be much more streamlined IMHO.

Relevant comments: https://github.com/EFForg/privacybadger/issues/2559#issuecomment-624568685 & https://github.com/EFForg/privacybadger/issues/2559#issuecomment-631463371.

@ghostwords,

Could you take a look and let me know what you think?

I've looked into, it's cool... And you're right it's not working for some reCAPTCHA page; for example https://www.spotify.com/us/signup/.

For Spotify sign up page I don't get any reCAPTCHA, when slider is at block mode for www.google.com.

Fig 1: No reCAPTCHA widget (for "I'm not a robot" Checkbox)

Fig 2: Failed sign-up attempt

Some pages like Spotify login & sign-up uses Invisible reCAPTCHA^[[1]], see below screenshot

And some like https://truecaller.com uses reCAPTCHA v3^[[1]], which don't allow to perform certain operation until slider for www.google.com is at block mode.

It would be nice, if we could also add a widget for Invisible reCAPTCHA; so user will be informed, this site is using Invisible reCAPTCHA. And for reCAPTCHA v3, we could prompt a user interaction like this: allow www.google.com for this domain for this session, only or permanently, just like HTTPSEveryWhere does for insecure website in EASE mode.

@finn0 Thanks for the feedback! I opened #2688 to add widgets to the popup, to make it clear which widgets are present on the page, and to allow you to activate them even when our in-page replacement fails for whatever reason.