CaptchaTheFlag - Protect your game from bots

A few weeks ago, I decided to make a CAPTCHA system and posted it on #help-and-feedback:cool-creations hoping for feedback. I ended up with some great responses, so I decided to revise my project.

Introducing CaptchaTheFlag

CaptchaTheFlag is an API-like tool to implement a CAPTCHA into your game, meaning YOU as the developer get to decide when a player sees a CAPTCHA. Here’s how:

game.ServerStorage.Captcha.Deploy:Invoke(player, version, dismissable, blur)

Invoking the (yeilding) BindableFunction will present the player with a CAPTCHA with the properties you specify. If the player completes the CAPTCHA, the function will return with true. If the player dismisses the CAPTCHA, leaves the game, or takes too long to complete it, the function will return with false.

Example invoke function
game.ServerStorage.Captcha.Deploy:Invoke(game.Players.Player1, 2, false, true) 
-- Give Player1 a Version 2 CAPTCHA that cannot be dismissed, and blurs the background

CaptchaTheFlag also offers 2 versions, one easy and one slightly harder. Here’s both of them in action:

Version 1 (Easy)

v1
A click-to-check challenge. This is very simple however and could be bypassed by more smarter bots (or bots with exploits).

Version 2 (More challenging, tougher for bots)

v2
A more challenging puzzle. Based off of Google’s reCAPTCHA, this is supposed to be tougher for bots. The colors are a randomly generated shade of red, orange, yellow, green, and blue, in a random order on the client’s screen. This version also records how many failed attempts the player made, but doesn’t take any action. You can find the amount at game.ServerScriptService.Captcha.Deploy[player.Name].FailedAttempts.Value.

Grab CaptchaTheFlag for free at https://www.roblox.com/library/5246204244/CaptchaTheFlag
Want to test it out first? Here’s a demo: https://www.roblox.com/games/5099320249/Captcha-Demo

40 Likes

This can easily be bypassed by Exploiters, sorry man :confused:

13 Likes

But does the player have to use the captcha whenever they join the game?
Its already a hassle whenever I need to join a roblox group
so…

1 Like

The goal is to stop bots, not exploiters. Most scam bots just join a game and spam links to phishing sites; a developer can implement this to stop majority of the automated actions.

11 Likes

It’s all up to the developer. This does not activate automatically in any way, the developer has to invoke a BindableFunction

1 Like

There are better ways to prevent bots in your game doing malicious stuff to your players. Setting up a captcha on your game is really annoying for players just trying to play. Perhaps set up a bot detector that detects if someone is trying to do something malicious. For example you can censor out anything related to ‘prize’, or ‘robux’, or ‘cash’, or even dots and ‘dot’

1 Like

Hi @WishingTie09120!

Thank you for sharing this resource, it is very interesting and useful.

Would you kindly create a link to Source code (preferably Github and/or Pastebin) for people who want to read the source but don’t have any access to a PC?

3 Likes

@FKAGamingDeOne

I’ve read the thread and the replies, this resource is to stop bots not exploiters. Bots are automated things that, if not hardcoded into them, they cannot pass the captcha:

image
It even says that in the title.


This will stop the vast majority of bots, which are all lazily programmed to just spam the chat.


Instead of replying so many times, @FKAGamingDeOne, edit your OP instead, for the purpose of making the thread clean.

4 Likes

Yes, and the code I supplied can be implemented into bots and it can check for certain sources that disable it from doing it’s point

That’s what the original idea was, but several users pointed out that there’s really no way to get every scam-related word with just string patterns. Roblox has already implemented a fairly good chat filter, but even that can’t stop some bots. A CAPTCHA would be annoying to players, but some sort of protection is better than nothing. I guess its all up to how you implement it, if it’s in a non-obtrusive way and only used when necessary then I hope most players wouldn’t have a problem with solving a quick puzzle

This is an interesting idea, but I can see the ver. 2 captcha being too difficult for us colorblind folk.

11 Likes

May i know how the captcha works? Is version 1 literally just a button that has to be pressed?

Are bots programmed to be able to click on buttons? If not, then i think a much better way of presenting a captcha is by setting up a loading screen. Then the player wont be annoyed because they don’t even know its a captcha…

Most captchas require you to click a button, but this has been bypasses like hell

I might use this for my game, i might edit it for more puzzles.

Going on-topic, are the puzzles managed through the server? For example, if i need to select the frame with the green color, is the color value that i need to select in the client or server? Thanks for reading.

Here’s a pastebin: https://pastebin.com/7jHcUJAJ

@locale Yes, version 1 is just a click puzzle. I’d assume most Roblox bots don’t have AI, they just join games and spam off-site links. However its entirely possible that a bot can be programmed to click the box as @FKAGamingDeOne pointed out

@Conejin_Alt the colors are sent to the client, but the client has no way of correlating the Color3 value and the string (unless of course, they know their colors)

4 Likes

Interesting, now that you mentioned it there are Colors that are seeable by most Color blind people, I think yellow and blue, however please do more research to make sure.


What if the player did something different like a Multiple choice question or a Math question?

4 Likes

Yes that should be a nice alternative.
A simple math equation(ex. 2+2, 4-1, etc)

@RuizuKun_Dev and @no_clu360 the multiple choice is an interesting idea, but wouldn’t a bot just be able to evaluate a math problem?

I think ill pass for now, mostly due to the hate against captchas. I think a good way of preventing players from being taken is to add a loading screen and a note that clarifies to never click on any offsite links.