Hacker News: eatbots

Browser agents have virtually no guardrails

eatbots — Tue, 28 Oct 2025 17:06:53 +0000

Article URL: https://www.hcaptcha.com/post/report-browser-agent-safety-is-an-afterthought-for-vendors

Comments URL: https://news.ycombinator.com/item?id=45735597

Points: 13

# Comments: 1

how hCaptcha stayed up when Cloudflare and Google went down

eatbots — Fri, 13 Jun 2025 17:53:01 +0000

Article URL: https://www.hcaptcha.com/post/how-hcaptcha-stayed-up

Comments URL: https://news.ycombinator.com/item?id=44270624

Points: 28

# Comments: 4

New comment by eatbots in "1 bug, $50k in bounties, a Zendesk backdoor"

eatbots — Sat, 12 Oct 2024 15:09:39 +0000

Reported this exact bug to Zendesk, Apple, and Slack in June 2024, both through HackerOne and by escalating directly to engs or PMs at each company.

I doubt we were the first. That is presumably the reason they failed to pay out.

The real issue is that non-directory SSO options like Sign in with Apple (SIWA) have been incorrectly implemented almost everywhere, including by Slack and other large companies we alerted in June.

Non-directory SSO should not have equal trust vs. directory SSO. If you have a Google account and use Google SSO, Google can attest that you control that account. Same with Okta and Okta SSO.

SIWA, GitHub Auth, etc are not doing this. They rely on a weaker proof, usually just control of email at a single point in time.

SSO providers are not fungible, even if the email address is the same. You need to take this into account when designing your trust model. Most services do not.

New comment by eatbots in "An Empirical Study and Evaluation of Modern CAPTCHAs"

eatbots — Sun, 17 Dec 2023 21:45:14 +0000

If you report the website/sitekey to hCaptcha support it'll get banned pretty quickly.

New comment by eatbots in "How Well Do AI Text Detectors Work? (Benchmarks)"

eatbots — Wed, 07 Jun 2023 18:13:03 +0000

hCaptcha tested popular detectors on confirmed LLM and human output. No public AI text detector scored better than random chance.

How Well Do AI Text Detectors Work? (Benchmarks)

eatbots — Wed, 07 Jun 2023 18:13:02 +0000

Article URL: https://www.hcaptcha.com/post/ai-text-detectors-fail-to-spot-llm-output

Comments URL: https://news.ycombinator.com/item?id=36230910

Points: 16

# Comments: 2

New comment by eatbots in "Ask HN: Did HN just start using Google recaptcha for logins?"

eatbots — Mon, 09 Jan 2023 19:55:43 +0000

hCaptcha has completely passive score-only modes. When to challenge and how hard is up to the site.

New comment by eatbots in "Ask HN: Did HN just start using Google recaptcha for logins?"

eatbots — Mon, 09 Jan 2023 18:25:04 +0000

This is entirely configurable by the site owner. hCaptcha has entirely passive score-based detection, 99.9% passive mode, and more aggressive options as needed.

(disclosure: work there)

New comment by eatbots in "Audible feedback on just how much your browsing feeds into Google"

eatbots — Mon, 22 Aug 2022 20:57:16 +0000

No: enterprise customers like that pay hCaptcha. https://www.hcaptcha.com/enterprise

New comment by eatbots in "Captcha Has Gone Too Far"

eatbots — Fri, 12 Aug 2022 12:31:03 +0000

This is not what empirical measurements show. It is referring to a minimum internal benchmark, rather than what actually happens. (source: work there)

If you're getting shadow banned somewhere, it is typically either the site itself or their CDN or bot management providers that is sending you into a challenge loop; hCaptcha doesn't control the behavior in those scenarios.

New comment by eatbots in "Private Access Tokens: Eliminating CAPTCHAs on iPhones and Macs"

eatbots — Thu, 09 Jun 2022 23:59:57 +0000

Like any attestation scheme, it doesn't prove anything about the humanity of the button-presser, only that software, hardware, or flesh triggered an action in iOS.

hCaptcha's announcement goes into a bit more detail on the tradeoffs: https://www.hcaptcha.com/post/announcing-support-for-private...

The main benefit over traditional hardware attestation is that RSA blinding is used to avoid linkability to a single device.

Humanity Verification: The First 3k Years

eatbots — Mon, 18 Apr 2022 17:39:47 +0000

Article URL: https://www.hcaptcha.com/post/humanity-verification-the-first-3-000-years

Comments URL: https://news.ycombinator.com/item?id=31073953

Points: 8

# Comments: 0

New comment by eatbots in "The end of the road for Cloudflare CAPTCHAs"

eatbots — Fri, 01 Apr 2022 14:21:35 +0000

Reducing challenges to real people is everyone's goal, including the goal of everyone working on modern CAPTCHA / bot mitigation platforms..

And no one will ever succeed at bringing them to zero.

Perennial favorite explainer on the topic: https://www.hcaptcha.com/post/why-captchas-will-be-with-us-a... Why CAPTCHAs Will Be With Us Always

(disclaimer: work on this stuff)

New comment by eatbots in "Cloudflare have made it impossible for me to unsubscribe from marketing emails"

eatbots — Tue, 22 Mar 2022 14:23:08 +0000

Vast majority of traffic from Tor IPs is abuse, which makes it challenging to deliver a good experience for the handful of normal users mixed in there.

You might be interested in one approach we've been working on for this: https://www.hcaptcha.com/privacy-pass

(full disclosure: work on hCaptcha)

New comment by eatbots in "ReCAPTCHA (A Google Service) Privacy Concerns"

eatbots — Tue, 15 Feb 2022 22:25:38 +0000

hCaptcha really doesn't care who you are, and has no incentive to do so. Pretty different economic model than an ad seller like Google.

People who build their own generally end up switching to a service like hCaptcha once they start getting attacked. Not a simple problem, as any solution you put in place needs to constantly evolve if you are protecting anything of value.

(disclosure: work there)

New comment by eatbots in "ReCAPTCHA (A Google Service) Privacy Concerns"

eatbots — Tue, 15 Feb 2022 22:15:29 +0000

hCaptcha is in fact tested this way, and has pretty consistent accuracy across hundreds of countries:

https://www.hcaptcha.com/post/do-captchas-really-discriminat...

(disclosure: work there)

New comment by eatbots in "Austrian DPA Ruling Against Google Paves the Way to EU-Based Cloud Services"

eatbots — Tue, 01 Feb 2022 15:52:00 +0000

Actually, no. hCaptcha has always been very privacy-focused, so in this case there are technical safeguards available: enterprise customers can pre-blind all data on their end, meaning hCaptcha gets no PII at all.

(disclosure: work there)

hCaptcha is not affected by log4shell (Analysis)

eatbots — Mon, 13 Dec 2021 20:48:46 +0000

Article URL: https://www.hcaptcha.com/post/hcaptcha-is-not-affected-by-log4shell-heres-how-we-know

Comments URL: https://news.ycombinator.com/item?id=29544450

Points: 3

# Comments: 0

New comment by eatbots in "ProtonMail includes Google Recaptcha for login"

eatbots — Sat, 29 May 2021 19:38:35 +0000

As a fan of ProtonMail, will just add a few points:

Every popular online service today is being continuously attacked. Bad actors get a lot of economic value from credential stuffing, account takeovers, and fake registrations, especially on email services.

This is why CAPTCHAs exist. They are one of the better tools in the defender's arsenal to increase the cost of attacks.

Building and maintaining a good CAPTCHA service is both hard and requires a high level of continuous development, since every day people are waking up and trying to figure out how to break it.

This means almost every company that tried building their own in the past has switched to either hCaptcha or Google, since it is not practical for even large companies to maintain their own solution these days.

Why was ProtonMail originally using Google? Probably because for many years it was the only plausible option until hCaptcha came around, and they needed to protect their users.

We're working with them now to switch over to the enterprise version of hCaptcha, which:

1) includes privacy-preserving features that let them decide exactly what user data hCaptcha sees and when, and 2) guarantees what happens to any data received via a data processing agreement, and 3) isn't run by an ad network.

hCaptcha doesn't care who you are and ensures all data is ephemeral, since unlike Google we're not trying to sell ads targeting you.

(disclosure: work there)

New comment by eatbots in "ProtonMail includes Google Recaptcha for login"

eatbots — Sat, 29 May 2021 18:19:06 +0000

This is not actually true: every relevant aspect is different from a privacy perspective, both technical and legal.

Looking only at the technical differences, hCaptcha lets enterprise users like Proton locally scrub any info like IPs prior to sending to hCaptcha. It can be set up so that the user makes no direct connection at all to the service, and the code runs inside of a sandboxed IFRAME.

As for false positive vs false negative rates, not sure what you consider too high. We've been able to demonstrate FP rates under 0.005% when measured against known-good/bad signals from customers, which is as good as it gets.

(disclosure: work there)