Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CAPTCHA breaks login workflow #235

Open
cookiengineer opened this issue Nov 4, 2022 · 29 comments
Open

CAPTCHA breaks login workflow #235

cookiengineer opened this issue Nov 4, 2022 · 29 comments

Comments

@cookiengineer
Copy link

cookiengineer commented Nov 4, 2022

When using hydroxide auth <username>, it will lead to a captcha being displayed on the website; which seems to break the login/auth mechanism:

2022/11/04 08:45:47 request failed: POST https://mail.proton.me/api/auth: [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse
2022/11/04 08:45:47 [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse

Are there any ways to maybe login via Browser and export/reuse the cookies or similar?

@hiddeninthesand
Copy link

I'm able to reproduce this behavior regardless of if I'm using Tor, a normal proxy, or a VPN. Would being able to use cookies from a browser be related to #218?

@cookiengineer
Copy link
Author

Yes, indeed a cookie jar implementation would help to allow users to temporarily bypass the login procedure within their web browser, and to export the cookie jar file (netscape format?) then.

I've made a Browser Extension that exports the cookie jar, for tools like yt-dlp and other scrapers: https://github.com/cookiengineer/me-want-cookies

@hiddeninthesand
Copy link

hiddeninthesand commented Nov 7, 2022

How does hydroxide currently store cookies? Maybe there's a more manual method to bypass it for the time being?

@emersion
Copy link
Owner

emersion commented Nov 7, 2022

It does not preserve cookies across requests, and #218 is about fixing that.

@julianfairfax
Copy link

Is there anything I can do about this? Or can I just never connect a new device? Does that mean if the config for my current devices is lost, I won't be able to log them back in again either?

@0x1eef
Copy link

0x1eef commented Dec 2, 2022

Does that mean if the config for my current devices is lost, I won't be able to log them back in again either?

Yeah, it probably does. I tried to use hydroxide for the first time, and I can't use it because of this problem.

@0x1eef
Copy link

0x1eef commented Dec 3, 2022

For anyone else who runs into this, the change in #225 fixed the issue for me.

@osfanbuff63
Copy link

For anyone else who runs into this, the change in #225 fixed the issue for me.

Tried the master branch of this repo and the change in #225, neither helped. Unfortunately I don't know Go so I can't help on this one, but I hope someone can fix this soon.

@0x1eef
Copy link

0x1eef commented Dec 5, 2022

I went down this rabbit hole, and if you are really stuck, the official proton-bridge might help. It can be built without the GUI(make build-nogui) , but requires at least "pass" to be installed and doesn't build out-of-the-box on *BSD.

I created a FreeBSD port for hydroxide.. that's what I am using at the moment: https://github.com/0x1eef/ports/tree/main/freebsd/mail/hydroxide. It pulls in the patch from #225 during build time. I'm not sure why it works for some, and not others. I also don't know Go to help further than that.

@bruceleerabbit
Copy link

The most proper fix would be for hydroxide to seamlessly launch the CAPTCHA puzzle instead of crapping out. From there, everything else is just hacks & workarounds (all of which are less convenient than if hydroxide were to render the puzzle on demand).

That said, I’ve heard rumors that the CAPTCHA is never sent to onion users. If you’re using a Tor exit node to reach the clearnet API, it’s a recipe for CAPTCHA hell. Theoretically, you can reach the onion API by following the steps in bug #239. (Of course the caveat at the moment is that the auth command fails in that scenario).

@Staubgeborener
Copy link

@0x1eef but how did you launch the official proton-bridge after building?

[user@nuc proton-bridge]$ make build-nogui
#successfully install process
[user@nuc proton-bridge]$ ls
bridge     Changelog.md  CONTRIBUTING.md   dist  extern  go.sum    LICENSE   pkg            README.md      tests    utils
BUILDS.md  cmd           COPYING_NOTES.md  doc   go.mod  internal  Makefile  proton-bridge  release-notes  TODO.md
[user@nuc proton-bridge]$ ./proton-bridge
FATA[Dec 24 10:44:21.808] No executable in launcher directory           error="no executable found" exe_to_launch=bridge-gui launcher_path=/home/user/proton-bridge/proton-bridge launcher_version=3.0.6+git

@0x1eef
Copy link

0x1eef commented Dec 24, 2022

@Staubgeborener

Try ./proton-bridge --cli.

I wasn't able to build proton-bridge on (Free|Open)BSD. It is not platform neutral. It expects to be built on either Windows, Linux, or OS X.

wonderfulShrineMaidenOfParadise added a commit to wonderfulShrineMaidenOfParadise/hydroxide that referenced this issue Jan 6, 2023
wonderfulShrineMaidenOfParadise added a commit to wonderfulShrineMaidenOfParadise/hydroxide that referenced this issue Jan 6, 2023
emersion pushed a commit that referenced this issue Jan 6, 2023
@eternal-sorrow
Copy link

I get this from proton-bridge:

Server error: paid subscription plan is required

So no, proton-bridge is not an alternative to hydroxide.

@0x1eef
Copy link

0x1eef commented Jan 24, 2023

As far as I know a paid subscription is required regardless of whether or not hydroxide is being used.

@eternal-sorrow
Copy link

Hydroxide does not require paid subscription.

@0x1eef
Copy link

0x1eef commented Jan 24, 2023

That's good, and surprising. I wouldn't have thought Proton would let you generate a bridge password without a paid subscription.

@fromtheeast710
Copy link

When will this issue be fixed? I really want to get ProtonMail working with Thunderbird.

@emersion
Copy link
Owner

When someone figures out a proper solution.

@eternal-sorrow
Copy link

eternal-sorrow commented Feb 13, 2023

Recently it stopped giving me this message and started working again.

@Staubgeborener
Copy link

Sadly I still need a captcha

@0-x-2-2
Copy link

0-x-2-2 commented May 11, 2023

Try to enable 2FA on your account.

@Staubgeborener
Copy link

Staubgeborener commented May 11, 2023

Try to enable 2FA on your account.

I enabled 2FA, still

[user@host hydroxide]$ ./hydroxide auth [email protected]
Password:
2023/05/11 19:20:13 request failed: POST https://mail.proton.me/api/auth: [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse
2023/05/11 19:20:13 [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse

Edit: So this is the final answer for this problem. Adding req.Header.Set("x-pm-appversion", "Other") to protonmail.go (line 123) together with 2FA is fixing this issue.

@cwegener
Copy link

Try to enable 2FA on your account.

I enabled 2FA, still

[user@host hydroxide]$ ./hydroxide auth [email protected]
Password:
2023/05/11 19:20:13 request failed: POST https://mail.proton.me/api/auth: [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse
2023/05/11 19:20:13 [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse

Edit: So this is the final answer for this problem. Adding req.Header.Set("x-pm-appversion", "Other") to protonmail.go (line 123) together with 2FA is fixing this issue.

I just tried that combination and it did not skip the Captcha challenge for me.

@cwegener
Copy link

Try to enable 2FA on your account.

I enabled 2FA, still

[user@host hydroxide]$ ./hydroxide auth [email protected]
Password:
2023/05/11 19:20:13 request failed: POST https://mail.proton.me/api/auth: [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse
2023/05/11 19:20:13 [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse

Edit: So this is the final answer for this problem. Adding req.Header.Set("x-pm-appversion", "Other") to protonmail.go (line 123) together with 2FA is fixing this issue.

I just tried that combination and it did not skip the Captcha challenge for me.

The response the /api/auth POST is the following message:

{                                                                                                                                                                                                                                                              
    "Code": 9001,                                                                                                                                                                                                                                              
    "Details": {                                                                                                                                                                                                                                               
        "Description": "",                                                                                                                                                                                                                                     
        "Direct": 1,                                                                                                                                                                                                                                           
        "HumanVerificationMethods": [                                                                                                                                                                                                                          
            "captcha"                                                                                                                                                                                                                                          
        ],                                                                                                                                                                                                                                                     
        "HumanVerificationToken": "FXO12rGNIDTlbXH2l6l7YYnw",                                                                                                                                                                                                  
        "Title": "Human Verification"                                                                                                                                                                                                                          
    },                                                                                                                                                                                                                                                         
    "Error": "For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse"                                                                                           
} 

The response also includes a session cookie.

@KricejJanezMartin
Copy link

I am also still having problems with solving CAPTCH-a. Are there any new workarounds? Tried the extra code added to protonmail.go - no luck and tried to authenticate with session ID as mentioned but didn't work. If anyone got around it i kindly ask for help. Thanks.

@gravilk
Copy link

gravilk commented Nov 5, 2023

I've had this captcha solver on the side for a while now. If anybody wants to implement this into hydroxide, you're free to do so. Sorry if some imports are missing but the most important parts are there. 100% solve rate so far.

@oxalica
Copy link

oxalica commented Jan 12, 2024

If we have to solve CAPTCHA somehow, could we have an interactive way to (temporarily?) pass the authentication? Prompting an image URL and let the user type the answer is good enough to me, assuming the CAPTCHA only occur sometimes during logining which is interactive anyway. But currently it just fail and give up with an escape hatch.

@wonderfulShrineMaidenOfParadise
Copy link
Contributor

I have a workaround to CAPTCHA. Maybe someone would feel like to give it a try.
#268 (comment)

@altbert
Copy link

altbert commented Aug 2, 2024

The work around i used was login to my ProtonMail account from the official domain, completed the displayed CAPTCHA and then i was able to login with hydroxide again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests