Google has just patched a reCAPTCHA vuln that allowed users to bypass their authentication system.
ReCAPTCHA is the auth process that protects websites against bots, spam, and stops users abusing online services. Google has been refining and improving reCAPTCHA for years, and has just released a v3 beta. The latest version has got rid of the interactive challenges and instead gives users a ‘score’ that determines whether they are human or bot, for instance detecting mouse movement etc.
ReCAPTCHA isn’t foolproof. Security researcher Andres Riancho found an error in the current system that showed that to bypass the ReCAPTCHA form, it just required the web application using it to craft a request to /recaptcha/api/siteverify in an insecure way.
But, when HTTP Parameter Pollution is introduced (multiple HTTP parameters with the same name) a bypass exploit can be created. So in other words, a bypass could be created if a web application sent verification requests to the reCAPTCHA API in an insecure way.
The bug was reported to Google and at first they said that it was working perfectly, then realised there was a problem and paid out on the bug bounty (that was then donated to charity).
There aren’t any patches required for the user, as Google’s API has been fixed. Hopefully the new reCAPTCHA verification will cause a lot less problems…