The reCAPTCHA API always used the first secret parameter on the request and ignored the second one. This HTTP request will look like: POST /verify-recaptcha-response HTTP/1.1 The user solves the CAPTCHA and clicks “Verify”, which will trigger an HTTP request to the web application.
When the web application wants to challenge the user, Google provides an image set and uses JavaScript code to show them in the browser as follows: The following introduction is for the use case where the vulnerability was found. reCAPTCHA is a complex beast with a lot of use cases: sometimes it will trust you based on your existing cookies, sometimes it will require you to solve multiple challenges. ReCAPTCHA is a Google service that allows web application developers to add a CAPTCHA to their site with minimal effort. The security issue was fixed “upstream” at Google’s reCAPTCHA API and no modifications are required to your web applications. The bypass required the web application using reCAPTCHA to craft the request to /recaptcha/api/siteverify in an insecure way but when this situation occurred the attacker was able to bypass the protection every time. I reported a reCAPTCHA bypass to Google in late January.
0 kommentar(er)
