I’m not sure how effective captchas really are at filtering out bots. But if they do work, I’d much rather have my efforts contribute to a public good like OSM rather than feeding data to Google, which seems to be the default these days.
If anyone from OSM is listening, it would be great to have a way to flag malicious uses of captchas, like in phishing attempts. The existing captcha platforms make this very hard.
Mostly they were created on the absolutely wrong assumption that they wouldn't annoy as fuck the users. Unless I badly need to get in, I tend to browse away when prompted for a captcha. The ones I hate the most are those where you are supposed to click on the part of the picture that contain a motorcycle, and like are you supposed to click if the motorcycle overlaps by 2 pixels, are you supposed to click on the passenger, and if it's a traffic light, is the pole part of the traffic light, etc?
This is as user hostile as it gets (and of course always combined with a gdpr pop up followed by a subscribe to email pop up which overlaps with the please login pop up).
> are you supposed to click if the motorcycle overlaps by 2 pixels, are you supposed to click on the passenger, and if it's a traffic light, is the pole part of the traffic light
100%, I have never passed those captcha, guess I'm really not human.
Google and Cloudflare's captchas are the worst because if they have previously decided they don't like your IP, if your browser has privacy features enabled, or a few other factors, they will never let you past the captcha no matter how correctly you answer the prompts. But instead of just telling you "we simply don't trust you, go away" they'll let you attempt the captchas as long as you like, rejecting your answers every single time.
It's abhorrent. Lying to users, gas-lighting them into thinking they weren't answering correctly and need to try harder when in fact no answer will ever be accepted. Ostensibly meant to be a system which prevents automatic systems from abusing resources meant for people, it becomes an automatic system abusing people. This bullshit should be illegal. If they want to turn people away for defying their surveillance apparatus they should do that upfront, without the inhumane deception.
It's really common now for phishing kits to use interstitial pages that require solving a captcha before the actual phishing content is shown
Victims just click through the captcha without thinking, but it makes automatic verdicting by security scanners a pain because they just see a captcha page: can't tell the brand being impersonated, or even if it's a phishing site
Interesting! What I was thinking of was use of legitimate captcha integrations (reCAPTCHA, hCaptcha) in front of fake banking websites. Drives me crazy that there isn't an easy avenue to report those.
Oh some of them definitely use a real reCAPTCHA, hCAPTCHA, or Turnstile widget. It actually useful sometimes to track the same API key being used across multiple different domains
But yeah, I wouldn't even know where to report those API keys for abuse
If anyone from OSM is listening, it would be great to have a way to flag malicious uses of captchas, like in phishing attempts. The existing captcha platforms make this very hard.