How @washeddark and I automated the solving of GOAT Black Friday captchas and demolished the FCFS releases (I still have the Diamond Supply Co. dunks that I hit for $75) A thread ?

GOAT Black Friday FCFS releases use a custom captcha system in which a user must click on the correct image of the shoe they are trying to buy before being allowed to submit their order. Here's an example of an incorrect image vs. a correct image:

On the GOAT app, these images float slowly around the screen so a user can easily tap on the correct image. Sometimes, the correct image would take a while to appear on the screen—giving bots that could identify the correct image a large advantage over humans.

But how could a bot identify the correct image without human interaction? The GOAT API provided an array of captcha image URLs and their corresponding IDs. There was no clear way to know the correct image ID from solely this data.

In 2019, the correct image was always the last (or first, I forget) in the array. I had a lot of fun with this until I got my information banned by doing something stupid ?

In 2020, GOAT made some changes. The correct image was now randomly placed in the array. To account for this, I made my bot prompt for the correct image after opening each of the image URLs. This was slower and my information was still banned, but it allowed some friends to cop.

In 2021, @washeddark and I teamed up to create the greatest GOAT bot known to mankind. We found something interesting with the captcha images: a way to detect the correct captcha image with no human interaction, giving us the ultimate advantage over both humans and other bots.

GOAT used a slightly higher resolution picture for the correct image but not for the incorrect ones. This meant that the file size of the correct image would ALWAYS be the largest when compared to the incorrect images.

By downloading each file and selecting the one with the largest file size, Dark and I could solve the GOAT captcha and place our orders before anyone manually solving the captcha. As you can see from Dark's tweet, we had some pretty nice success! ?

Thanks for reading! Although this isn't really a bypass, it's still a pretty cool and unconventional method that we employed to get around the captcha. Be sure to follow for more cool Epacity shenanigans! ?