When I finish Cloudflare challenge, the captcha.wetsite show me the Privacy Pass homepage and get no tokens

[zanderpeng]

operating system： windows 2019
Web browser :chrome 98.0.4758.102
Extension version：3.0.1
Problem description：
When I finish Cloudflare challenge, the captcha.wetsite show me the Privacy Pass homepage and get no tokens

[RealDolos]

Can confirm, Chrome and Firefox affected, so it's not a browser-specific problem.
@ppopth you fixed it last time in #291 / #292 and the symptoms now seem identical, except it affects the latest 3.0.1

Diagnosis

QUALIFIED_BODY_PARAMS contains cf_captcha_kind as a required parameter for detection, however that parameter is not actually issued with requests anymore. Thus the extension fails to detect captcha response requests and subsequently fails to convert these requests into token issuance requests and get tokens issued.

Removing the cf_captcha_kind requirement, or replacing it for something that exists, like captcha_answer fixes the problem and makes the extension work again; tokens become available and also are used when needed.
The other checked parameter, h-captcha-response, still exists in the requests and is therefore not a problem for now.

In general, the whole detection code seems to be terribly fragile, if it breaking twice in as many weeks is any indication. It would be good if the cloudflare captcha team could establish a formal way of detecting such requests that the cloudflare privacy pass team could use.

[ppopth]

Thank you for reporting. The issue will be solved by #308

[warren-bank]

fwiw, I just retested the most recent release of the extension built from PR #283 ..and it still works correctly (with a few documented caveats). This version was built nearly 3 weeks ago, as the PR hasn't received any recent feedback. Maybe somebody could take a look at its code.. and we could merge some of its many updates?

[zanderpeng]

I just test version：2.0.7,in this version hcaptcha is work, I get tokens.But Cloudflare still can't work.
By the way，which version is work？ where I can find it for chrome

[tumagonx]

fwiw, I just retested the most recent release of the extension built from PR #283 ..and it still works correctly (with a few documented caveats ). This version was built nearly 3 weeks ago, as the PR hasn't received any recent feedback. Maybe somebody could take a look at its code.. and we could merge some of its many updates?

Thanks your fork works!
tested version 3.6.6 on Windows XP, Chrome 78, Tor 0.3.5.10

[zanderpeng]

fwiw, I just retested the most recent release of the extension built from PR #283 ..and it still works correctly (with a few documented caveats ). This version was built nearly 3 weeks ago, as the PR hasn't received any recent feedback. Maybe somebody could take a look at its code.. and we could merge some of its many updates?

Thanks your fork works! tested version 3.6.6 on Windows XP, Chrome 78, Tor 0.3.5.10

when I test 3.6.6 on Windwos 2019 , Chrome 98, it show me this

[warren-bank]

@zanderpeng

• you tried to install a crx2..
  • wrong!
• recent versions of Chrome only support crx3..
  • please try again using the correct format

---

I suppose that I should also (preemptively) make the comment that my releases are self-signed.. and not verified by Google or Mozilla. I use SRWare Iron.. which is available in a portable format, and doesn't require extensions to be signed by a marketplace. Firefox dev works too ^[1]. All other browsers are YMMV.

• ^[1] about:config
  • xpinstall.signatures.required = false

[zanderpeng]

actually,I try both of crx2 and crx3. but they have the same question

[warren-bank]

trying to reproduce..

• decompressed a fresh copy of Google Chrome 98.0.4758.102 portable
• chrome://extensions
  • developer mode = false
    • crx3 does not install
    • package is invalid: CRX_REQUIRED_PROOF_MISSING
  • developer mode = true
    • crx3 installs
    • package is permanently disabled because it isn't verified by Google
  • developer mode = true
    • unpacked crx3 installs
    • package is enabled
    • extension is fully functional

conclusions..

• Chrome: unzip the crx3 into an empty directory, and install the directory as an unpacked extension
• SRWare Iron: ftw

[tumagonx]

I use crx2, and since Chrome (360 EE) is run as Guest user, all of my extensions are in developer mode.

[warren-bank]

according to this Chrome changelog, version 73.0.3683 is when Chrome ended support for installing crx2 extensions; this and all subsequent versions of Chrome only allow crx3.

[warren-bank]

I'm back to using SRWare Iron 85 now.. and just tried to install the crx2;
it refuses with the error: CRX_HEADER_INVALID
..which basically just means that it requires a crx3 instead.

[tumagonx]

oops sorry I have 2 chrome 69 and 78, this one us 69 :D

[warren-bank]

fun fact..

since the crx2 extension is expected to be used in older browsers,
which will be using a javascript engine that doesn't support all modern language features;
the crx2 extensions that I release:

• are fully converted to ES5
• include the core-js polyfill library

I've successfully tested it in Chrome v30:

• hCaptcha works perfectly
• Cloudflare's website doesn't work in this browser,
  but the extension appears to be fully functional

[warren-bank]

another fun fact..

all of the text presented in the extension's UI has been setup for internationalization.

atm, I've only included english..
but translations will be very easy to add later.

[tumagonx]

is this happen again? please reopen
I tried like 10 times solving the puzzle, never got cloudflare token, hcaptcha works.

[warren-bank]

observations:

• yep, I can confirm that the Cloudflare provider has (yet again) made breaking changes
• in Chrome devtools, inspecting the network tab for the background page:
  • the extension is still correctly:
    • detecting and intercepting the correct request
    • sending its own request for Cloudflare to sign tokens
  • the Cloudflare backend is now incorrectly:
    • responding to the extension's request with a 403 status code
      • the content of the response is the HTML page that is seen in the browser,
      • rather than a JSON data structure containing signed tokens

status:

• in the month since this issue was closed:
  • my fork has received no feedback or any attempt to merge any changes
  • aside from adding string translations, I haven't made any farther changes
• I'm not eager to devote much additional effort to my fork, because:
  • this project isn't being actively maintained
  • contributions are largely ignored
  • the captcha providers are constantly making changes without any apparent coordination with this project
    • which makes its foundation very unstable

[tumagonx]

dang that sounds like legitimate way of cloudflare try kills tor users like me (not a bot!),
I wonder how other tor users survive this blatant internet censorship considering most website use cloudflare services. And here i am trying to escape government censorship (reddit blocked) only to get toyed by cloudflare.
No way I'll use expensive VPN service though.

[ppopth]

@tumagonx Yes, we made a change on the backend, but it should have been solved in #308 and it was released with v3.0.2
If you haven't updated the version to v3.0.2, please do so. Then, if the issue still exists, we will investigate on that.
Thank you

[warren-bank]

@tumagonx I'll push an update.. I imagine it should be a trivial fix to rejigger the request parameters to compensate for whatever change was recently made on the backend. I'll look at it later tonight.

[warren-bank]

@tumagonx fwiw, v3.7.2 issues Cloudflare tokens again. A querystring parameter in the request to issue CF tokens was renamed.

[tumagonx]

@warren-bank you save the day, I'll try learn the changes in case of another breaks happen.

[aravindvnair99]

@tumagonx Yes, we made a change on the backend, but it should have been solved in #308 and it was released with v3.0.2
If you haven't updated the version to v3.0.2, please do so. Then, if the issue still exists, we will investigate on that.
Thank you

@ppopth The issue continues in version 3.0.2 of the extension as well. I get Cloudflare but not hCaptcha.

Google Chrome	100.0.4896.60 (Official Build) (64-bit) (cohort: Stable Installs & Version Pins)

OS	Windows 11 Version 21H2 (Build 22000.593)

Related / similar open issues:

• Version 3.0.0 breaks hCaptcha issuance #274
• Privacy Pass Version 3.0.1 Doesn't work #299
• hCaptcha 3.0.2 doesn't work in chrome dev #310

[armfazh]

@zanderpeng try the new version v3.0.4, and open a new ticket if you had a new issue.

[Deyrap355]

How can I help and change HTML to JSON data, I have been having too of trouble

…

On Mon, Nov 14, 2022 at 3:24 PM Armando Faz ***@***.***> wrote: Closed #306 <#306> as completed. — Reply to this email directly, view it on GitHub <#306 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWJVVUEKIF4CTYQR26ULPF3WIKUYVANCNFSM5OXDN47A> . You are receiving this because you are subscribed to this thread.Message ID: <privacypass/challenge-bypass-extension/issue/306/issue_event/7808272133@ github.com>