Malik Ammar Faisal

developer, security enthusiast

I recently got a client on upwork who wanted me to automate twitter signup process especially the part of solving the funcaptcha, and boy, do I have some stories to share.

After countless hours of debugging, several facepalm moments, and way too much coffee, I finally got it working reliably. Here’s everything I learned about handling Twitter’s CAPTCHAs - hopefully it’ll save you some headaches!

The Initial Struggle

When I first started this project, I thought, “How hard can it be? Just send the CAPTCHA to a solving service and we’re done, right?” Oh, how naive I was. Turns out, Twitter’s implementation using Arkose Labs’ FunCaptcha is pretty sophisticated. The first few attempts failed miserably because I was missing crucial pieces of the puzzle.

The Breakthrough: Token Extraction

After a lot of trial and error (and packet sniffing), I discovered that we need three critical pieces:

  • The data blob
  • Session token
  • Flow token

Here’s the code that finally worked for capturing the data blob:

if 'arkoselabs.com' in url:
    if 'data=' in url:
        parsed = urlparse(url)
        params = parse_qs(parsed.query)
        if 'data' in params:
            self.data_blob = unquote(params['data'][0])

Fun fact: I initially tried getting the data blob from the page source, which worked… until it didn’t. The URL parameter method above proved much more reliable.

The Session Token Saga

Getting the session token was its own adventure. Here’s what finally worked:

if '/rtig/image' in url:
    parsed_url = urlparse(url)
    params = parse_qs(parsed_url.query)
    
    if 'sessionToken' in params:
        self.session_token = params['sessionToken'][0]

The CAPTCHA Solving Dance

Here’s where things get interesting. After trying various services, I found that using multiple solvers with fallback is the way to go. Here’s my battle-tested approach:

async def solve_captcha(self):
    # Try 2captcha first
    token = await self.solve_with_2captcha()
    if not token:
        # Fallback to anti-captcha
        token = await self.solve_with_anticaptcha()

The Token Submission Nightmare

This part had me pulling my hair out. Just getting the token isn’t enough - you need to submit it correctly. After many failed attempts, here’s what actually works:

await frame.evaluate(f"""
    const message = {{
        eventId: "challenge-complete",
        payload: {{
            sessionToken: "{token}"
        }}
    }};
    
    // Try multiple targets because why not?
    [window.parent, window.top, window].forEach(target => {{
        try {{
            target.postMessage(JSON.stringify(message), "*");
        }} catch (e) {{
            console.error('PostMessage failed:', e);
        }}
    }});
""")

Things I Wish I Knew Earlier

  1. Don’t Rush the Submit 
    await asyncio.sleep(1)  # Give it a moment to breathe

    I kept getting failures because I was submitting the token too quickly. Adding a small delay fixed it.

  2. Check Your Frames Always make sure the frame exists before trying to submit: 
    if not arkose_frames:
    print("No frames found - time to panic!")
    return False

My Biggest Facepalm Moments

Spent hours debugging and figuring out how to submit the funcaptcha solution.

Final Thoughts

Getting Twitter’s CAPTCHA system working reliably is definitely possible, but it requires attention to detail and a lot of patience. The key things to remember:

  • Use multiple solving services
  • Handle your frames carefully
  • Log everything (you’ll thank me later)

Updated:

You May Also Enjoy

Process Injection into RWX Memory

Ever wondered how to inject shellcode into an RWX memory region of a running process on Windows using rust? Probably not, but here’s how you can do it anyway.