MoBiC-04: reCaptcha CAPTCHA bypass
22:52 04.11.2007Next participant of the project is reCaptcha. It is popular captcha which used at many web sites.
As said at recaptcha.net, this captcha has plugins for many engines, such as: WordPress, MediaWiki, phpBB, Movable Type, Drupal, Symfony, Typo3, NucleusCMS, vBulletin, Joomla. This is popular external captcha service and there are many thousands of sites which are in risk with this captcha.
This captcha is vulnerable for one interesting methods of bypassing (I called it captcha token bypass method). This Insufficient Anti-automation hole I found 31.08.2007.
In captcha token bypass method you need to bypass tokens only, without answering at any captcha images. So you need to use only captcha_token parameter (and not use recaptcha_response_field parameter at all). For bypassing you need use new captcha token for every post.
I found this hole at www.keng.ws. As I tested at some others sites which use reCaptcha, they were not vulnerable to this hole. So it’s just incorrect implementation of captcha. But there still possible a lot of others sites with such holes (which not correctly setup reCaptcha).
Insufficient Anti-automation:
Guys not overdo with this Captcha bypass test. Not post too much at this site. This exploit for educational purposes only.
Moral: never implement captchas incorrectly.
P.S.
This vulnerability concerns only reCaptcha plugin for Drupal.
Понеділок, 21:23 05.11.2007
Hi,
I’m one of the engineers on reCAPTCHA. This issue appears to be drupal.org/node/114364. It is a security flaw in the drupal code rather than the reCAPTCHA plugin.
In the future, we’d appreciate disclosure of potential security issues via support@recaptcha.net rather than by blogging.
Четвер, 23:49 08.11.2007
Ben
It’s good that you responded. As I wrote in my article after I found this hole at keng.ws, I also tested at some others sites which use reCaptcha and they were not vulnerable to this hole. So it’s some issue at this site (with plugin or with Drupal) and it’s possible that there are many sites with such hole.
At page on which you referred to said that problem not in Drupal itself (Drupal core is not affected), but in Captcha plugin. So it’s plugin issue, not engine, as developers said. And it’s another plugin, than reCaptcha. So in case if it’s the same issue, than the hole is in Captcha plugin and in reCaptcha plugin (for Drupal, and there is possibility that plugins for others CMS can have such hole too).
Man, I’m not just blogging like you said. It is a project - Month of Bugs in Captchas. And in this project, like in my previous project Month of Search Engines Bugs, I’m using full disclosure. So all information posted with details. But I’m trying to inform beforehand every participant of the project (owners of the sites with vulnerable captchas) about holes at their sites. From your side, you need to work that every plugin and every engine which use reCaptcha have no such Insufficient Anti-automation vulnerablities. And inform every site’s admin which has vulnerable reCaptcha setup about that.
П'ятниця, 00:38 09.11.2007
Actually, the reCAPTCHA plugin is a “subplugin” of the CAPTCHA plugin. So the CAPTCHA plugin hole (which was fixed months ago) is the real cause of the problem.
reCAPTCHA actually gives admins better tools than most CAPTCHAs to enforce security. As an example, reCAPTCHA takes care of duplicate solutions, preventing the site administrators from needing to worry about this.
Full disclosure is a good practice. What is not a good practice is full disclosure before notifying the authors of the code in question and giving them a chance to fix it. I really hope you’ll reconsider this for the future.
П'ятниця, 08:12 25.12.2009
hello,
i need to bypass chapcha on this page, im not quiete sure how to do so.
is it still possible?
thank you
RRR
Середа, 02:11 15.12.2010
Last week I announced new vulnerability in reCAPTCHA for Drupal. Which concerns to new versions of Drupal (and new versions of its Captcha module).
Середа, 23:52 15.12.2010
Ben
reCAPTCHA is a subplugin, so hole was in main plugin (in that case), but you have responsibility for this hole too. Because it’s your module and there must be no bypasses of the captcha (even due to holes in some other Drupal’s modules). Your plugin must be immune to such issues, up to making your own captcha module which will be “stand-alone” module, i.e. will not be requiring any other modules for work.
During 2006-2010 I used appropriate disclosure policies in every case and will be doing so in future. For MOSEB and MoBiC projects I used one disclosure policy, for other cases - other apropriate disclosure policies.
Середа, 23:55 15.12.2010
unknown
You need to read above-mentioned description of the vulnerability and look at the source code of exploit which I provided.
Yes, it is. That vulnerability concerns to old versions of Drupal (and its Captcha module). But as I mentioned before, recently I announced new vulnerability in reCAPTCHA for Drupal (which I found this year). Which concerns to new versions of Drupal (and its Captcha module).