[homakov]

>So my guess would be they analyze users behaviour on the page where captcha is located, things like mouse movements

If they can track mouse movements why in incognito mode i'm not a human for them anymore? I was expecting same but from what I see it's just a whitelist. And it's OK. Problem is, which you probably didn't care to read, is it's vulnerable to simple clickjacking which opens another weakness - i can use your click on my page to get your reCAPTCHA token and feed it to my spam bot.

I'm actually happy with No CAPTCHA, because it's making progress. But it's not good enough (see the rest of comments, it could be a background AJAX request instead).

[yhlasx]

>>which you probably didn't care to read

I did read it. My point is, you, or I, or anyone for that matter does not know the inner details of how it works.

>>If they can track mouse movements why in incognito mode i'm not a human for them anymore?

Maybe having a clean cookie history is not good enough during the risk assessment.

Look, my entire point is, google is not a joke company. I am certain that they tested it for effectiveness before deploying.

[homakov]

> I did read it.

So what do you think about clickjacking issue? I made an assumption about their algo and maybe I'm wrong and they do track your mouse, but there's exploitable weakness. My post is 1) your algo seems simple 2) here's a bug in it.

[yhlasx]

The curious thing is, I could not replicate the clickjacking issue. Everytime I make a click on original wordpress registration page, I am verified as a human immediately.

If I do the click on your github page, I get a challenge. My clicks were never accepted as human on your github page. My clicks were always accepted as human on wordpress page.

[homakov]

No incognito tab? Maybe they fixed it

[homakov]

yes they fixed it but i don't know how. Likely there's a way to bypass.