reCAPTCHA Vulnerability Patched After Bypass Discovered

By Ava McKinneyOnline Safety

reCAPTCHA Vulnerability Patched After Bypass Discovered

Cloud and application security expert Andres Riancho discovered a method to bypass the reCAPTCHA protection mechanism, which is based on the Turing test. The vulnerability involved sending a specially crafted request to /recaptcha/api/siteverify in an unsafe manner.

Riancho explains that Google presents users with a selection of images and uses JavaScript to display them in the browser. When a user completes the task—such as identifying all cars in the images—they confirm their selection, which triggers an HTTP request to the web application. The application then verifies the user’s choice by contacting the reCAPTCHA API.

The application authenticates itself using a secret parameter and a reCAPTCHA-generated hash. If the user solves the challenge correctly, the API confirms success, and the application processes the response, granting the user access to the protected resource.

Riancho found that by using a technique called HTTP parameter pollution, a web application could be manipulated to trick reCAPTCHA. He notes, “HTTP parameter pollution is present almost everywhere—on both the client and server sides—and the associated risks depend heavily on the context. In some cases, it can lead to major security breaches, but in most cases, the risks are low.”

The expert points out that it is possible to send two HTTP requests to Google’s service and receive identical responses. The reCAPTCHA API will always use the first secret parameter in the request and ignore the second, which is what Riancho exploited.

“If a web application is vulnerable to HTTP parameter pollution and the URL is constructed so that the response parameter comes before the secret, an attacker can bypass reCAPTCHA verification,” Riancho writes.

Google specialists have already fixed the issue without the need for any patches. Riancho, who earned $500 for discovering the bug, explains that developers updated the REST API so that if a request to /recaptcha/api/siteverify contains two HTTP parameters with the same name, an error is now returned.

Leave a Reply