[flanbiscuit]

The DOOM Captcha is just using html/css/js so it's easy for bots to crack with simple DOM querying/manipulation in an automated browser. But what if canvas was used instead?

> A minigame with extremely vague description that you have to react to quickly to pass.

I dont know how advanced current bots are at breaking captchas these days but if you're using a canvas then they would have to use some kind of image/video processing and recognition and then also know the rules of the game. Just curious if using canvas would make things harder for bots. Maybe it's already been done, I have no idea

[tshaddox]

I believe a simple JS browser extension or automation script could easily ask about every pixel in the canvas. For this case I suspect it would be very easy to iterate over each row of pixels looking for a few consecutive pixels that uniquely match the monster and then trigger a click on those coordinates.

[dahjkol]

Probably by grabbing a pixel of a monster and "clicking" on it. Pixel bots are as old as time. Learned about then playing runescape as a kid but never wanted to be banned. My friend made a few for fishing and woodcutting

[testesttest]

For traditional text captchas, bots are better than humans. Flow usally goes, pay humans to solve 50000 ($500) then train an ML model. For things like recaptcha things get harder because it is not easy to proxy the captcha puzzles to have humans solve them (which is nessary to collect training data).

[owl57]

Why do you need to proxy anything? If you're just collecting training data, seems easy to record the interaction with a browser extension?

[testesttest]

Because I want to pay people in the 3rd world to solve them for me. There are a bunch of services that take crypto or PayPal and solve captchas with humans. Using those systems requires you download the image, send to service, get response (proxy is not 100% accurate)

[tim333]

>just using html/css/js

I think a problem is if it's all client side it would be quite easy for hackers to much about with. Now maybe if it sent the mouse movements and target positions to the server it would be possible to tell human movements apart in a way that was quite hard to crack?

[dude187]

> The DOOM Captcha is just using html/css/js so it's easy for bots to crack with simple DOM querying/manipulation in an automated browser.

I mean, if you're looking at it at that level, it's just giving a "didn't pass" callback. A bad actor could just ignore that, and not care about it.

Without some sort of server side verification of the result, it doesn't really matter how difficult it is to script through the game itself. Even some crazy hard game in canvas isn't any more difficult for a bot to script around, if the server doesn't have any way of knowing anyone actually jumped through the hoop.

[ehsankia]

Yeah, I was really surprised to see it was basic DOM. Canvas version wouldn't even be that hard to do. And yes, it would definitely be breakable, but at least not with a javascript onliner.