PaTCHA

Written by:
Lucie Sadler
Date Posted:
31 May 2018
Category:
Tech

“I’m not a robot”

Auth process
Google has just patched a reCAPTCHA vuln that allowed users to bypass their authentication system.

ReCAPTCHA is the auth process that protects websites against bots, spam, and stops users abusing online services. Google has been refining and improving reCAPTCHA for years, and has just released a v3 beta. The latest version has got rid of the interactive challenges and instead gives users a ‘score’ that determines whether they are human or bot, for instance detecting mouse movement etc.

Not foolproof
ReCAPTCHA isn’t foolproof. Security researcher Andres Riancho found an error in the current system that showed that to bypass the ReCAPTCHA form, it just required the web application using it to craft a request to /recaptcha/api/siteverify in an insecure way.

ReCAPTCHA is based on the Turing Test, where puzzles or logic cases are given to users to solve to prove that they’re not robots. So, when a site using reCAPTCHA pops up to verify the site visitor, Google provides a set of images through JavaScript code. Then when the site visitor confirms that they are human by solving the image ‘puzzle’, a HTTP request is triggered. The web application then authenticates itself via a secure parameter, and Google’s reCAPTCHA API verifies it.

Parameter Pollution
But, when HTTP Parameter Pollution is introduced (multiple HTTP parameters with the same name) a bypass exploit can be created. So in other words, a bypass could be created if a web application sent verification requests to the reCAPTCHA API in an insecure way.

The bug was reported to Google and at first they said that it was working perfectly, then realised there was a problem and paid out on the bug bounty (that was then donated to charity).

There aren’t any patches required for the user, as Google’s API has been fixed. Hopefully the new reCAPTCHA verification will cause a lot less problems…

No votes yet.
Please wait...

Leave a Reply

Be the First to Comment!

avatar
  Subscribe  
Notify of

Hyve are 100% carbon neutral. We use carbon offsetting to balance out the release of carbon dioxide from our offices and infrastructure.