This is a interesting one. I’ve never seen anything like this used in ROBLOX games as ROBLOX provide strong lengths of protection against bots although there are still bots.
I would make a Datastore to save that the player has done captcha before or it’s just going to get annoying constantly having to do this everytime they join - and a lot of kids could confuse images up etc.
Love the idea - but additionally it looks very vulnerable for exploits that can just bypass it with a auto injection into the game.
This is a decent idea, but it could be improved. Players should only have to verify once. When they pass the CAPTCHA, their UserId should be automatically stored in a DataStore. This way, they won’t encounter another CAPTCHA, or at least they’ll only need to verify again every 30 days, depending how you set it up. That being said, I believe the botting issue should continue to be resolved (or attempt) by Roblox themselves. But this is a good idea for huge botted games like MM2, Fisch, Adopt Me, etc to prevent as much financial loss as possible.
It is possible, but it is not easy to implement. You would need a dataset of actual player interactions in your game to determine what interactions are outside of the norms of that dataset(which one may assume could be bot activity). Games like Valorant have anti-cheat installed on the client yes, but there are still server-authoritative measures in place that work seamlessly in the background without interrupting players with prompts.
I understand the potential of this type of captcha and it would definitely prove to be useful in the scenario you provided. I’m only suggesting to incorporate more detections like measuring the time it took to click each button, or whether the mouse suddenly “jumped” to each button rather than moving across the screen. These detections aren’t perfect but they do offer a more wholesome Captcha.
Auto fill exploits is by checking whats infront of you for example, if I get the captcha and the game is requiring “Cat”, U can make an exploit that detects which one is a cat and picks it.
Yeah I’ve pretty much come to a conclusion that Roblox is fried like some buttery bacon when it comes to exploits. I know you are right because I’ve personally made scripts that can automatically press buttons on the screen and even if you randomize them it doesn’t matter the exploit can always know where the gui is and then press the correct button. It’s impossible to make a client sided anti captcha. Unless Roblox allows developers to put everything on the server, it will in fact be bypassed.
It is definitely possible to create client-sided captchas. The client doesn’t need to know the correct answer.
Ex.
The server chooses 3 images from a random set; it can label them 1, 2, and 3. It will send them to the client with no context besides the numbers and the image content. The user will click the one they think is right and tell the server the number. The server will check if it matches; if it does, all is well; if not, you can go from there.
With editable images, you can just send the client 3 buffers; you can apply any sort of randomization and distortion to the images so that they can’t be memorized/recorded. If the contents of these images pertain to unique aspects of your game, it will also prevent generalized AI vision from working.
I appreciate your insight but there are two key things to understand.
Anything client-sided is possible to bypass.
There are paid anti captcha services that bypass secure websites that use captcha.
So with that being said, the question isn’t something like “How can we create a client-sided captcha that can’t be bypassed?” The question is “How long can we deter exploiters from botting before they finally figure out how to bypass the client-sided captcha?”.
While I think your insight is valuable, the instructions should really be kept private. This forum is filled with exploiters and pen-testers and so anything you are teaching us how to do can be reverse engineered by people on here and then bypassed. Roblox is pretty much doomed in terms of exploiters and the only thing that can be done is procrastinating that doom as long as possible before the exploiters take over the entire platform.
I just said it wasn’t client-sided. There is no info on the client besides pixel data. All they do is relay their choice to the server. It can be seen as an invalid response if no choice is relayed.
What makes you think exploits aren’t capable of selecting the right choice?
For example lol this game that personally I hardly even play anymore had a tournament and to make it fair they added this “anti cheat” to the tournament where it has a captcha code that you have to input while you’re playing. It is sent to the server through a GUI using a remote event.
All you had to do to bypass it is literally just grab the code using find first child of class and no matter what the code was you could just guess it correctly automatically and continue running automated scripts to win the tournament
The idea itself is good that all we want the client seeing is “pixel data” as you call it, but that idea fumbles when you realize the power these exploits have over the game itself. How do you relay information to the server without a remote event? You can’t.
What are you talking about? How does the client know what the right choice is? It doesn’t. The server tells the client, “Here are some images; tell me which one is the right one.” The client sends back a number. If the client doesn’t send back a number, it fails the captcha; if it sends the wrong number, it fails the captcha. The client never gets to know what the right option is. It only gets given pixel data and a request.
If you send the client a random code and make them fire the server to relay the correct choice, the exploiter can automate a script that automatically hooks onto that event and does it all automatically without actually doing any work. Same applies for any random thing you send to the client. You don’t seem to understand basic knowledge about remote event security.
You have no clue what I’m talking about. No code is being sent to the client. All the client gets are three numbers and three corresponding images. It never knows which one is correct.
We both resolved this in DM’s together and I was right about everything.
She did not understand that the anti cheat I had personally created and bypassed directly correlates to how you can bypass anti captcha.
Thank you for working with me and taking the time to understand all of it. I really appreciate it and I hope everyone can learn from my extensive knowledge on this topic
I see how this can be used in games with more bots than players (like mm2). It should make you do a captcha before you claim the coins you got during the round.
Brother that’s literally how real captcha works, it sends challenge and choices then you send back your answer, the client doesn’t know which is right. And you still have the audacity to say “You dont understand basics of remote security”, Such high ego
