Google broke reCAPTCHA for de-googled Android users

Posted by anonymousiam 18 hours ago

Google broke reCAPTCHA for de-googled Android users(reclaimthenet.org)

Related: Google Cloud fraud defense, the next evolution of reCAPTCHA - https://news.ycombinator.com/item?id=48039362

also: Google Cloud Fraud Defence is just WEI repackaged - https://news.ycombinator.com/item?id=48063199

1121 points | 387 commentspage 3

ranger_danger 17 hours ago|

Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.

My ISP regularly changes everyone's IP, and I apparently share an ISP with people who suck, so I get flagged just trying to do all sorts of normal things. Some examples:

- I've never bought anything from Etsy but I'm somehow banned from even viewing their site at all.

- Discord immediately bans me any time I try to create an account.

- Can't buy flights from Delta, always gives a non-descript error.

- Can't buy concert tickets, it thinks I'm a fraudulent buyer.

- Most CF sites produce a "Sorry, you have been blocked" page, or just loop.

- Trying to buy products on a shopping cart will have my order silently flagged/canceled for "VPN usage" (I don't use one).

- Some sites/programs block me for being on the DroneBL or similar lists I did nothing to get onto, and have verified many times that it's not really coming from me.

I just take my business elsewhere... eventually I'll probably just stop using technology at all.

Jigsy 17 hours ago||

> Sites that use reCAPTCHA/Turnstile/etc. have already been broken for me for years now due to neverending captcha/refresh loops.

I had this problem recently with the Indeed website. (Cloudflare Captcha)

Thanks to someone on Reddit, it was discovered that anyone using a Chromium based browser (Brave, Vivaldi, etc.) on Linux was being punished.

Awfully frustrating having to set up a Virtual Machine just to be able to access one website via Firefox since even my hardened Firefox was being punished.

anonymousiam 16 hours ago||

Why not just change your user agent string?

codedokode 14 hours ago|||

Because the site can compare the user agent with navigator.platform, which your browser fills with great care.

userbinator 6 hours ago||

That naturally implies we must patch the browser.

"Source code? We don't need no stinkin' source code!"

codedokode 1 hour ago||

That's what Russian underground hackers do to create so called "anti-detect" browsers, which can emulate different browser fingerprints. But they are commercial and closed-source.

tardedmeme 16 hours ago||||

It probably fingerprints the browser via TLS fingerprinting.

mschuster91 16 hours ago|||

That's useless, in fact it makes you stand out even more. There are SDKs that can differentiate based on an awful lot of signals if your user agent corresponds to your actual browser version.

miladyincontrol 15 hours ago|||

Almost would bet one or a few of your ISP's customers have their connections being used as residential VPNs.

I know people like to think of suspicious android box setups but even a lot of "free" apps, extensions and other such services scarily seem to do that duty these days. I'm sure I'm preaching to the choir here, but its sad how many people will use some free of cost vpn and not even think why that might be.

ranger_danger 14 hours ago|||

Yes, I have even seen mobile android games that include notices about a BrightData SDK or HolaVPN etc. where their idle bandwidth is resold.

donmcronald 12 hours ago||

Does the app function as a proxy? I always assumed that wasn’t possible.

ranger_danger 11 hours ago||

Why wouldn't it be possible? As long as background network access is allowed (the default).

chadgpt2 14 hours ago|||

Honest question: Is there anything scary about this apart from lowering your ISP's reputation score?

donmcronald 12 hours ago||

Yes. What if your connection is used for illegal activity?

wraptile 3 hours ago|||

It's not only IP but entire browser stack is being fingerprinted: Javascript, http, tls - everything. I've been living in the SEA region on Linux firefox for the last 10 years and the web has been miserable due to cloudflare and recaptcha

rescbr 14 hours ago|||

This is why I ended up paying extra for a static IP from my ISP. While they always provided me with a public IP outside a CGNAT, I guess whole IP blocks were being targeted by these web security providers.

I guess my ISP allocates static IPs from a separate pool, and probably my IP block neighbors are better behaved (probably SMBs and other fellow nerds), aside from platforms learning that my IP is safe.

Captcha difficulties are way down now.

hysan 17 hours ago|||

Turnstile feels bad as a user. Every site that I’ve seen it long will lock up Safari hard while it’s doing whatever it’s doing. But at least I haven’t run into more than 2 refresh loops.

prism56 17 hours ago|||

Oh man I feel you. I turn my VPN off on certain sites due to the captcha loop.

retired 14 hours ago|||

I have not been able to visit AliExpress for months now. Just an endless reCAPTCHA loop.

I wonder if they are seeing a decrease in traffic and somehow find that acceptable.

Milpotel 17 hours ago|||

Wouldn't a 1£ Linux VM as Wireguard access point suffice?

ranger_danger 17 hours ago||

Nope, I have tried. Just as suspicious to them if not moreso because it's a datacenter IP and not residential. I even have a list of sites I've tried to visit that were explicitly blocked from datacenter IPs, and that file has over a hundred hosts in it now.

chrisjj 5 hours ago|||

> I just take my business elsewhere...

Mars? /i

ck2 17 hours ago||

whenever I can't access a website for various stupid blocks

I fire up cloudflare warp and walk right through it

use wireguard with wgcf in environments without cloudflare client

yeah it's stupid we have to do this in 2026 but I guess cloudflare is the new AOL garden

wafflemaker 16 hours ago|||

You sir seem to have solved a problem many people here have.

Would you care to elaborate a little on how you did it?

It doesn't happen that often to me, but sometimes adblock setup I'm using results in such issues.

tardedmeme 16 hours ago||

He just told you, he used cloudflare WARP. It's a "VPN" along the lines of NordVPN et al, but by cloudflare, so it gets special treatment by cloudflare's walled garden enforcement system.

krackers 16 hours ago||

I wonder if iCloud private relay might also work. Apple probably negotiated some special treatment

donmcronald 12 hours ago||

I’m guessing it’s all the same effect as CGNAT exit IPs. You need to get big enough to be unblockable. That’s why everyone is trying to get in on the VPN game.

This new reCAPTCHA setup is probably a good indicator that big tech wants to shift to verified access only. Personally, I’m just going to quit spending money via the internet and go back to piracy + retail stores with a physical location.

titularcomment 15 hours ago|||

the fact that this works, as well as cloudflare having a literal web scraping tool available as another product honestly makes my blood boil.

db48x 3 hours ago||

I long ago stopped using any webpage that uses a captcha. If the website uses one, I bounce.

dstnn 14 hours ago||

Its going to be just like the wild days of the late 90s and 2000s

Strap in, the ownage will be hard.

spankibalt 16 hours ago||

Time for some lawfare!

DANmode 16 hours ago||

The Government reviewed the Google situation on behalf of you,

and on behalf of the Government,

and said “data, so piss off”:

https://abcnews.com/Technology/google-hit-antitrust-lawsuit-...

https://macdailynews.com/2026/02/04/u-s-files-appeal-in-goog...

userbinator 11 hours ago||

If the masses can somehow point the absolute loose-cannon that is the current President at Google, things might actually change.

DANmode 9 hours ago||

In August 2019, Trump tweeted that Google had “manipulated” millions of votes toward Clinton in 2016 and said the company “should be sued.”

Turns out that Presidents, once elected, largely do what Continuity of Government, and business interests, ask for.

userbinator 4 hours ago||

Trump has been the least normal of them, and the increasing distrust and suspicion towards Big Tech is largely bipartisan at this point.

Computer0 16 hours ago||

warfare*

KPGv2 14 hours ago||

https://en.wikipedia.org/wiki/Lawfare

> Lawfare is the use of legal systems and institutions to affect foreign or domestic affairs, as a more peaceful and rational alternative, or as a less benign adjunct, to warfare.

bigyabai 8 hours ago||

The parent is musing on the impossibility of Google being held accountable, as the government largely assents to this plan and will ostensibly use it for social control during times of protracted warfare (eg. right now).

manmal 5 hours ago||

It’s quite easy to remote control an Android phone with an agent (eg there‘s agent-device). I don’t think this will keep automation from happening.

BloodyIron 11 hours ago||

I'm sorry Google, I'm afraid I can't do that.

hedora 12 hours ago||

Is there a way to just ban all these sites? Like a firefox plugin or whatever that detects this crap, and just bounces over to some place more reputable, like archive.is.

Permit 12 hours ago|

It looks like archive.is uses recaptcha so I don’t think that’s the fix you’re looking for.

tardedmeme 11 hours ago||

then we make a new one

Worf 15 hours ago||

I don't use Android right now and haven't used Google'd Android for almost a decade. And I won't. If this is the hill I die on, so be it.

I'm not going to use any sort of hardware attestation, especially one controlled by Google. You shouldn't either, even if you have an unrooted Google-certified Android phone.

brikym 15 hours ago||

It's all fun until you can't get paid because some fintech app doesn't work. That's why we need regulations. I don't see politicians ever going against an advertising company when they're customers.

freedomben 15 hours ago|||

Indeed, I generally favor being conservative with regulations because they can genuinely impede progress and can be really hard to change or remove when they're bad, but this is an issue that we need regulation for. It's just too much in the interest of big tech to lock us down and strip us of our freedom of compute. Short of regulation.

Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.

mikepurvis 14 hours ago|||

An easy first step ahead of a full ban would be insisting that hardware attestation never be used as a gate to access government services. Most other things I can vote with my feet, but viewing my tax returns or renewing my passport are things that can only happen in one place.

donmcronald 13 hours ago||

This is really the most important thing for me. I don’t want to be obligated by law to use some identity or attestation service tied to big tech. I might be ok with my bank handling it because they already require ultimate trust, but not if they simply defer to big tech or implement infrastructure on foreign ccTLDs (id.me, verified.me, etc.).

I’m Canadian and watching our government sell our souls to American tech companies is beyond scary.

mikepurvis 11 hours ago||

Yes, Canadian here also and I feel the same. I'm pretty heavily Googled these days (gmail, gphotos, Pixel 10) and I work for a US tech company, so maybe I'm kidding myself that it matters much for me personally, but I'd be pretty sad if I ever found myself unable to access any level of government service because I didn't have a Google or Apple smartphone that I could point at a QR code on the screen.

pino83 15 hours ago||||

One unfortunate aspect of the entire problem: Go back, let's say 10, 15 or 20 years, when forces were a bit more balanced than today. When all these issues were already quite obvious, but probably somewhat easier to solve. The same people that cry loudly today were completely ignoring all these issues. Actively. And when someone came up with them, that guy was just an idi*t, disturbing the good mood. Right? I can still remember all the conversations that I had, or that I read. Today, they'll deny that and still call me an idiot. Anyways...

PS: Sure, there always were a handful of exceptions. If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.

dwedge 14 hours ago||

So just to clarify, you also didn't solve anything but you want everyone to know you told them so and you were smarter?

> If you are one of them, you know what I'm talking about. I don't refer to you. But to the other 99.x%.

Reminds me of Facebook engagement bait

donmcronald 13 hours ago|||

I saw a lot of people get told they were too dumb to understand how the app stores or Adobe subscriptions were a good value proposition. A lot of people rolled in the mud and now they’re upset their clothes are dirty.

If it didn’t affect those of us that tried to resist, I wouldn’t care, but we got dragged along unwillingly and now it may be impossible to hit the brakes before corporations control everything by usurping control of our identity systems.

pino83 12 hours ago||

Oh, yeah, these discussions as well... Precisely.

Good that some people are able to translate my thoughts into actual English... :D

pino83 13 hours ago|||

> Reminds me of Facebook engagement bait

If you say so. I don't know. I was never an active part of that big problem (so btw I also had nothing to "solve"). You were?

userbinator 6 hours ago||||

The sort of regulation we need for this must be as solid as a constitutional amendment, but that is going to be very, very difficult.

KPGv2 14 hours ago|||

> Unfortunately I see the regulatory environment more likely to go the other way of requiring attestation. I sure hope I'm wrong.

Everyone in power wants it, across the entire globe.

retired 14 hours ago|||

Already happening. The official German identification app, AusweisApp, is designed exclusively for Android and Apple mobile devices

lxgr 13 hours ago|||

> designed exclusively for Android and Apple mobile devices

That's very different from requiring hardware attestation, though.

pseudalopex 4 hours ago||

It is a little different. But not very different.

somethingweird 14 hours ago||||

No, you can also get it for Windows and Huawei devices. So three American and one Chinese companies. Great.

bigyabai 13 hours ago||

With Salt Typhoon, that's a whole four ways to choose how China steals your data.

And to think, people said consumer choice was dead...

ranger_danger 13 hours ago|||

If it was developed by the government, shouldn't the source or an API be available? Surely third-party apps can be made in that case?

poopooracoocoo 11 hours ago||

That'd be great but governments often don't make specs and source code available. Governments don't make things open.

The amount of stuff councils and state governments gatekeep about road specs alone... Argh.

palata 3 hours ago|||

"Not using" doesn't make any noise. If you just "don't use", you will just use less and less stuff.

Google doesn't give a shit, but smaller companies are the ones using reCAPTCHA and that kind of shit. Consumers need to complain to those smaller companies. And citizen need to complain to their government, if those case. In the EU there is the DMA: https://digital-markets-act.ec.europa.eu/contact-dma-team_en.

What's sad is that the few citizen who care are often complaining against regulations. And it is the lack of regulations that got us here. We need antitrust, period.

lukashahnart 13 hours ago||

What do you use instead? iOS?

moebrowne 5 hours ago||

OK, so what are the alternatives, what can developers use instead?

pixel_popping 13 minutes ago||

It feels ultra sad that "developers" think they need to use reCaptcha? What is this lazyness, it's not even good on top of that at what it does, recaptcha cost less than $1/1000 to solve automatically, it's also slow, crappy, bad UI.

Even competent people got completely brainwashed, crazy.

doublerabbit 41 minutes ago|||

Create your own. Captchas have long existed on the internet. Start your own Captcha As A Service. If you've not seen the dark net some of their QR checks are inquisitive.

   >? URL: .env.project :: IP: 213.209.159.175
   >? 30326336336 :: viewer key
   >? URL: lab/.env :: IP: 213.209.159.175
   >? 39363064647 :: viewer key
   >? URL: Dr0v :: IP: 185.12.59.118
   >? 76543264647 :: viewer key
   >? URL: data/.env :: IP: 213.209.159.175
   >? 63623731628 :: viewer key
   >? URL: docker/app/.env :: IP: 213.209.159.175
   >? 62653061304 :: viewer key
   >? URL: fedex/.env :: IP: 213.209.159.175
   >? 61663064656 :: viewer key

   [09/May/2026:11:31:32] notice: exiting: exceeded max connections per thread

Above is verbose from my honeypot. Some security camera network has been hacked and is being used for net thrifting in Romania.

The internet is a failure. Congratulations us.

palata 3 hours ago||

Developers implement what they are told to implement. People who make those decisions in companies just don't give a damn, they will happily use whatever is easier/cheaper. Usually something from TooBigTech, sponsored by surveillance capitalism.

codedokode 14 hours ago|

To be fair, there are already apps that require a mobile phone to sign up, for example, VK, Telegram. And I think Google requires to scan a QR code to register account, so it is easier just to buy a Google account on a black market if you need it for some purpose.

Nobody trusts web browsers nowadays.

danparsonson 12 hours ago||

I think you and I move in very different social circles...

I would have no idea how, nor desire to purchase a Google account on the black market, and I do in fact still trust that my web browser can do TLS correctly.

dredmorbius 46 minutes ago|||

My reading of codedokode:

"easier just to buy a Google account ...." for those who would choose to do that in quantity. That is, the scammers and fraudsters for whom this is a financial decision. Which suggests that Google's latest moves shift the needle only slightly against actual abuse at a huge cost to the rest of us.

"Nobody trusts web browsers ..." applies to the publishing side. Content (that is, advertiser) sites and commerce most especially. The prove-yourself hoops that those opting out of that approach (de-Googled Android, privacy-hardened browser, alternative OS) must deal with are mind-bogglingly insane, speaking from personal experience. The Web no longer brings joy.

Incidentally, Google plays strongly in the second space, such that its incentives are aligned with pushing people into the "Google Play Services" ecosystem, and to both its own browser and ad-tech personal surveillance tools.

In conclusion, Google must be destroyed.

tardedmeme 11 hours ago|||

I think you can just search 'buy google account' - it isn't illegal.

danparsonson 1 hour ago||

Sure but how do I know that the person I'm buying from legitimately owns the account? Won't scam me? Or try to con me out of my existing account? I'm just saying not everyone is as relaxed about that sort of thing.

pixel_popping 16 minutes ago||

Markets are regulated by reviews, seller history and so-on, the same as legal markets and it's generally smooth.

grishka 3 hours ago||

VK has been digging its own grave for quite some time now. Hardly anyone uses it any more. It's speedrunning enshittification with that registration thing but also with the very unpopular post redesign, the removal of custom news feeds, and most recently with shutting off most of the API access for third-party apps, including popular client apps like Kate Mobile.

More comments...