CaptchaTheFlag - Protect your game from bots

There is a large difference between this CAPTCHA and the one Roblox or any other website uses.
Firstly, the images used are much more complex and are usually generated live in order to prevent the use of guessing.
Secondly, they don’t just check what you choose. Why do you think the “I’m not a Robot” checkbox exists? If clicking it is enough to pass the test, all bots can easily bypass it, right? That’s because that’s not how it works. This check works by checking your mouse speed, position, acceleration, and reaction time (along with a few dozen other variables seen by the neural network) and comparing them to what a human would do (while making sure that this movement is unique). If it is not 100% sure, it will ask you to complete an additional CAPTCHA, which most bots don’t bother doing and give up.

Generally, CAPTCHAs on Roblox games are more or less pointless. Bots don’t usually do anything ingame, they exist to either boost ratings or player count, neither of which can be stopped by the developer.

I do not think this would protect your game against dislike and like bots.

I have a question, how will color blind people be able to do the color block thing?

But where is this compared? On the web server? Can’t bots just spoof the information sent to the server to look like a real person? The bot owner can measure all the human stats when he tries a captcha, and then he programs the bot to always spoof the same information he gave and execute it in small little random bits using random() to make the movement look unique.

For example the average Mouse speed might be 30. Then the bot spoofs the mouse information like this.

Math.random(-5,5) + AverageMouseSpeed–this random function also produces decimals"

The information is sent to the web server to decide so it cannot be spoofed.
As for how the decision is made, it is not based off of something as simple as mouse speed alone. It uses as much information as it can to determine if the click was genuine by using neural networks. Instead of beating CAPTCHAs, bots usually find a bypass that allows them to skip it.

The information sent to the web server can be spoofed. The bot can send its own request to the webserver with spoofed information. For example, it can send the Mouse speed as 5.

I mean I get that, but once you find how a normal human behaves you can use the those parameters for all captcha bypass requests, with slightly different varitiates using Math.Random()

Depends on your definition of a spoof but point is, you cannot bypass a CAPTCHA by giving it wrong information because you cannot reasonably provide the information that would work in your benefit.
Neural networks are not that simple. If it was trained to detect someone trying that, it will detect it no matter what you do, especially if it logs other information like your account age, avatar, blurb, badges, favourites, etc. If you make a CAPTCHA on Roblox that includes all of those parameters as well as every variable you can get from the mouse, then you get into unsolvable territory.

@WishingTie After trying a few captchas, got this error

image1001×436 155 KB

That solution wouldn’t work at all. You have no control over the client so it could simply check for the box with the red color. There is no way around it, CaptchaTheFlag is only useful if most games aren’t using it, which is the case right now.

Theres some issues but Its really great, love how clean it is aswell as how simple it is well still doing the job

This is great! I love how it’s so simple to use. @WishingTie I would include in the readme that you need to move the captcha script into the serverscriptservice to have it work with that example.

To all people who think that this is “to stop bots and not exploiters”.
Bots actually seem to be using some script injectors to fire Chat:Chat(). Here is a tutorial how to break all laws of reality:

1. Go into a game, “Prison Life” during a bot attack (if bots are in other games, they’ll probably be there too).
2. Right after joining, you are taken to team select screen. Notice that your team is “Neutral” and your chat GUI is disabled. Right after picking a team the chat GUI will be enabled.
3. Wait for a bot to appear.
4. Cover yourself in oil
5. The bot will do its thing - send a scam link. See anything wrong? The bot chatted while being in the “Neutral” team! Reminder - your chat GUI is disabled when you are in that team. This means that they’ve chatted without needing the GUI. They’re doing that at ultrasonic speeds, which means that this is the way they always send links, and this makes this whole CAPTCHA kinda pointless.

There’s one trouble with this tutorial though - the game is slowly declining in popularity, and the chances of bots appearing are declining too.

I think there might be better ways of detecting bots and removing their chats and removing them from the game after being sure they are bots.

Many bots repeat the same message or a handful of messages repeatedly. We can simply log these messages and block them from reaching chat, if there are enough infractions we can kick and eventually ban the player.

It’s better to punish the bad actor and not all the legit players.

What is a better idea is blurry numbers or something similar

Maybe using runtime CSG to generate skewed letters in a way that it’s hard to analyze for client modifications.

Does it display a puzzle based on account age or always?

Does this keep track of mouse movement (like google CAPTCHA)? If not then it’s simply a button click that can easily be simulated (or they could just destroy the GUI itself).

Does this mute the player in chat? If not, most bots just use a script injector to send chat messages afaik. You should mute the player in the chat, which, isn’t too hard to do thankfully, its built in to the chat scripts so you can just require the chat modules and call a quick function or two.

Also, you should implement a challenge where players select something based on their username, or one of their friend’s usernames. For example, you could have them do a click selection for any of these and generate a few random answers (you can bold the relevant character(s) in the name too):

• Nth letter
• Nth capital letter
• Nth lowercase letter
• Nth number
• Nth number above x
• Nth number below x
• Number of capital letters
• Number of lowercase letters
• Number of letters
• Number of numbers

The above questions are easy to generate, easy for the user to answer, and somewhat hard for a bot to potentially understand.

Additionally, I’m not sure if you do this already, but, you should make your script entirely server sided and have the client send their answer choice as a number meaning the nth answer. The server would then unmute them in the chat and hide the GUI, rather than client code.

The above would require a bot to parse your GUI, which, you could even completely randomize the structure of to make it impossible for bots to access the text directly via code. This would require bots to use OCR (optical character recognition) or try and find the text through other means which would be difficult and less effective.

On top of that, you could insert random colored or strikethrough key words into the text to make it hard for bots to process the text via OCR, and add garbage RichText to make it harder to process if they manage to get the text. For example, <s></s>How many <s>letters</s> <font size="0" color="rgb(255, 255, 255)">numbers</font><font size="14" color="rgb(0, 0, 0)">letters</font> are in <font color="rgb(255, 0, 0)">numbers</font> <s>RandomPlayerName's</s> your name?

Clever idea, the rich text part, but…

Yep, I’m aware. That’s why I suggested the inclusion of extra keywords that are visually distinct.
If you use the Content property, you get rid of the extra distinction and its harder to filter out bad content.
That forces them to use the RichText property, so they have to process the content manually to decide what is and isn’t important.