OpenAI’s ChatGPT Agent casually clicks through “I am not a robot” verification test
Technology
54
Beiträge
39
Kommentatoren
302
Aufrufe
-
"This step is necessary to prove I'm not a bot," wrote the bot as it passed an anti-AI screening step.
The CAPTCHA is question is Cloudflare Turnstile, which slowly ramps up a different assortment of invisible challenges while not tracking your mouse movement or cross-site activity.
If a bot can find all images with crosswalks in grainy photos faster than we can, surely it can check a box as well. Bots definitely can check a box, and they can even mimic the erratic path of human mouse movement while doing so. For Turnstile, the actual act of checking a box isn’t important, it’s the background data we’re analyzing while the box is checked that matters. We find and stop bots by running a series of in-browser tests, checking browser characteristics, native browser APIs, and asking the browser to pass lightweight tests (ex: proof-of-work tests, proof-of-space tests) to prove that it’s an actual browser.
-
Ah yes, cloudflare's captcha that just tracks how many hits you've done in a timeframe on a site recently.
Same shit different pile.
-
"This step is necessary to prove I'm not a bot," wrote the bot as it passed an anti-AI screening step.
Probably because it accessed it through a user's browser/connection which until that point hadn't been flagged as a bot and had consistently shown signs of human use.
I'm sure if you set up a bot farm with this your connections would be flagged very quickly.
-
Ah yes, cloudflare's captcha that just tracks how many hits you've done in a timeframe on a site recently.
Same shit different pile.
From the screenshot in the article, the bot is bypassing Cloudflare's Turnstile which is not just tracking hits.
I work in bot detection. You and anyone else reading this should understand that, behind the scenes, proof-of-work, proof-of-space, and other tests are being run to verify if the device is what it says it is. Typically, a bot is run with a tool like Playwright or Puppeteer. These frameworks are detectable with the right tests. Bots will also attempt to spoof another device's fingerprints to blend in. These changes are also detectable if you know what to test for.
We implement tools like Turnstile and other CAPTCHAless CAPTCHA because bots are pretty good at passing CAPTCHA while humans, rightfully, hate verifying they they're human. Humans also struggle at passing CAPTCHA.
The general population has zero idea the massive volume of bot traffic that is being generated right now. These tools are implemented for a reason. So the fact that a bot just breezes past this test is a problem for us all.
Definitely not "same shit different pile", friend.
-
"This step is necessary to prove I'm not a bot," wrote the bot as it passed an anti-AI screening step.
Prowlarr has had a thing to do this for a good while now. No AI needed.
-
From the screenshot in the article, the bot is bypassing Cloudflare's Turnstile which is not just tracking hits.
I work in bot detection. You and anyone else reading this should understand that, behind the scenes, proof-of-work, proof-of-space, and other tests are being run to verify if the device is what it says it is. Typically, a bot is run with a tool like Playwright or Puppeteer. These frameworks are detectable with the right tests. Bots will also attempt to spoof another device's fingerprints to blend in. These changes are also detectable if you know what to test for.
We implement tools like Turnstile and other CAPTCHAless CAPTCHA because bots are pretty good at passing CAPTCHA while humans, rightfully, hate verifying they they're human. Humans also struggle at passing CAPTCHA.
The general population has zero idea the massive volume of bot traffic that is being generated right now. These tools are implemented for a reason. So the fact that a bot just breezes past this test is a problem for us all.
Definitely not "same shit different pile", friend.
Lol who downvoted this
-
LLM is a model/algorithm and the robot is an automatic machine. LLM is not a robot. All is ok.
Yes. Exactly this. No way for a bot to make an API call to a LLM and get back a solution formatted in JSON that it could easily parse for the solution. Could never happen.
-
From the screenshot in the article, the bot is bypassing Cloudflare's Turnstile which is not just tracking hits.
I work in bot detection. You and anyone else reading this should understand that, behind the scenes, proof-of-work, proof-of-space, and other tests are being run to verify if the device is what it says it is. Typically, a bot is run with a tool like Playwright or Puppeteer. These frameworks are detectable with the right tests. Bots will also attempt to spoof another device's fingerprints to blend in. These changes are also detectable if you know what to test for.
We implement tools like Turnstile and other CAPTCHAless CAPTCHA because bots are pretty good at passing CAPTCHA while humans, rightfully, hate verifying they they're human. Humans also struggle at passing CAPTCHA.
The general population has zero idea the massive volume of bot traffic that is being generated right now. These tools are implemented for a reason. So the fact that a bot just breezes past this test is a problem for us all.
Definitely not "same shit different pile", friend.
Thanks for the write up, but I was blocked from logging in on a cloudflare website because I opened too many windows once and their tracking cookie flagged that browser as a bot.
Meanwhile the bot I built to track mod updates to my modlist for Rimworld and Mw5 on nexus? Never ran into any issues.
So when I refer to Cloudflare's bot detection as shit, that is a highly personal and professional opinion.
-
From the screenshot in the article, the bot is bypassing Cloudflare's Turnstile which is not just tracking hits.
I work in bot detection. You and anyone else reading this should understand that, behind the scenes, proof-of-work, proof-of-space, and other tests are being run to verify if the device is what it says it is. Typically, a bot is run with a tool like Playwright or Puppeteer. These frameworks are detectable with the right tests. Bots will also attempt to spoof another device's fingerprints to blend in. These changes are also detectable if you know what to test for.
We implement tools like Turnstile and other CAPTCHAless CAPTCHA because bots are pretty good at passing CAPTCHA while humans, rightfully, hate verifying they they're human. Humans also struggle at passing CAPTCHA.
The general population has zero idea the massive volume of bot traffic that is being generated right now. These tools are implemented for a reason. So the fact that a bot just breezes past this test is a problem for us all.
Definitely not "same shit different pile", friend.
The modern breed of CAPTCHAs is mostly only trying to verify that it's a full-fat browser. undetected-chromedriver, camoufox, pydoll, patchright and a million other libraries/tools exist. Nothing's perfect and it's a cat & mouse game, but this single incident is a sample size of one as well.
-
I count on Cloudflare's useless captcha for my *arr stack.
-
"This step is necessary to prove I'm not a bot," wrote the bot as it passed an anti-AI screening step.
Meanwhile my ass is in tears every time I have to do a fucking "click all the squares that show a motorcycle" prompt. Maybe I should just join the bots.
-
Thanks for the write up, but I was blocked from logging in on a cloudflare website because I opened too many windows once and their tracking cookie flagged that browser as a bot.
Meanwhile the bot I built to track mod updates to my modlist for Rimworld and Mw5 on nexus? Never ran into any issues.
So when I refer to Cloudflare's bot detection as shit, that is a highly personal and professional opinion.
No problem, thanks for reading. I don't work for Cloudflare, but I worry it's a little too easy to call something shit when you don't fully understand it.
There are numerous factors at play here even outside of frameworks and browsers. I haven't worked with Cloudflare's tools but where I work we allow each customer to fine tune detections. One site's detections might be too aggressive for another site. Believe it or not, some customers are ok with bot traffic so long as it's not overly aggressive. That said, detections can trigger based on behavior, such as high volumes of requests, as well as IP reputation.
Even with the bypasses that are available, or instances when you are able to use a bot and not be challenged, it doesn't diminish how well these tools work. There are reasons people are implementing these types of antibot solutions across the web.
-
The modern breed of CAPTCHAs is mostly only trying to verify that it's a full-fat browser. undetected-chromedriver, camoufox, pydoll, patchright and a million other libraries/tools exist. Nothing's perfect and it's a cat & mouse game, but this single incident is a sample size of one as well.
Absolutely well said. Cat & mouse indeed
-
Meanwhile my ass is in tears every time I have to do a fucking "click all the squares that show a motorcycle" prompt. Maybe I should just join the bots.
Well now you can just have a bot do that for you
-
"This step is necessary to prove I'm not a bot," wrote the bot as it passed an anti-AI screening step.
Meanwhile google slapped me with nine captchas to fill out a form like wtf?
-
Cloudflare is one of many contributing factors to how annoying the internet is now.
-
I count on Cloudflare's useless captcha for my *arr stack.
Wait. Your *arr apps are public?
-
From the screenshot in the article, the bot is bypassing Cloudflare's Turnstile which is not just tracking hits.
I work in bot detection. You and anyone else reading this should understand that, behind the scenes, proof-of-work, proof-of-space, and other tests are being run to verify if the device is what it says it is. Typically, a bot is run with a tool like Playwright or Puppeteer. These frameworks are detectable with the right tests. Bots will also attempt to spoof another device's fingerprints to blend in. These changes are also detectable if you know what to test for.
We implement tools like Turnstile and other CAPTCHAless CAPTCHA because bots are pretty good at passing CAPTCHA while humans, rightfully, hate verifying they they're human. Humans also struggle at passing CAPTCHA.
The general population has zero idea the massive volume of bot traffic that is being generated right now. These tools are implemented for a reason. So the fact that a bot just breezes past this test is a problem for us all.
Definitely not "same shit different pile", friend.
Could you please enlighten me on one small point:
When it asks you to click all the squares with a motorcycle, etc., does it expect you to include the squares with just a tiny part of the motorcycle or rider, or does it just want you to select the main squares?
-
Meanwhile google slapped me with nine captchas to fill out a form like wtf?
Lemme guess... traffic lights, too many motorcycles, and buses? There was something "wrong" with your cookies cache or IP. Google just straight fucks with you if it sees network traffic it doesn't like.
-
Meanwhile my ass is in tears every time I have to do a fucking "click all the squares that show a motorcycle" prompt. Maybe I should just join the bots.
Ooh, sorry, you missed the single pixel on the corner of the adjacent tile, FAIL
