Vulnerability in reCaptcha allows you to activate up to 30 actions on the same token
I thought for a long time whether it was worth telling, but last night I had some free time, and nevertheless I decided to continue my series of articles on small problems in large projects. And, perhaps, everyone already knows about it, but I'm worried in vain.
We all know the reCaptcha service that Google acquired a couple of years ago. We see him in many large projects, for example, when registering in LiveJournal . I must say that I like downloading files from a list directly from my server, and when such a thing appeared on one of the sites from which I periodically download something, it started to annoy me a little. When I do not like something, I do not give up, but try to come up with a way to avoid this.
So I decided to overcome reCaptcha and I think that I succeeded ...
Starting the analysis, first of all, I ask questions. What is the biggest problem with such a large project? Most likely, this is the storage of a very large amount of unnecessary information, statuses and actions. ReCaptcha should create a token, check it and deactivate it.
If the first two actions can be replaced with encryption (without storage), then deactivation is a bit more complicated. And the service needs to perform its “main” function of scanning documents. Where to store all this? I'd like to save on this. And, usually, this is the biggest mistake of the developers.
How reCaptcha works:
It was in these last two points that the weak spot turned out to be. It is known that the service limits the token to approximately five hours. But, as I found out, reCaptcha does not store your activated token all this time, but seems to keep a block list and removes the token from it after about ten minutes of inactivity. That is, if you have not tried to activate this token again for ten minutes, then it is removed from the lock list. Thus, in five hours you can use one single token up to thirty times , the main thing is to be patient and not to jerk it before the ten-minute interval.
How to use it? Very simple! After creating 10 tokens, you can activate the action on the site every minute for five hours automatically. 300 activations in just 10 tokens. I think a very good offer. More tokens - more often activation.
Unfortunately, on reCaptcha ( Google Code ), I did not find a single word about this problem. However, there is a very simple way to protect yourself from it, it is enough to store activated tokens (recaptcha_challenge_field) on the site side for five hours. After all, the probability of issuing the exact same token during this time is almost zero.
PS Usually my posts are accompanied by a small example of the use of the vulnerability, but this time I decided that it would be simple enough to tell. The inquisitive mind% username% will be able to verify the operability of this method itself.
We all know the reCaptcha service that Google acquired a couple of years ago. We see him in many large projects, for example, when registering in LiveJournal . I must say that I like downloading files from a list directly from my server, and when such a thing appeared on one of the sites from which I periodically download something, it started to annoy me a little. When I do not like something, I do not give up, but try to come up with a way to avoid this.
So I decided to overcome reCaptcha and I think that I succeeded ...
Starting the analysis, first of all, I ask questions. What is the biggest problem with such a large project? Most likely, this is the storage of a very large amount of unnecessary information, statuses and actions. ReCaptcha should create a token, check it and deactivate it.
If the first two actions can be replaced with encryption (without storage), then deactivation is a bit more complicated. And the service needs to perform its “main” function of scanning documents. Where to store all this? I'd like to save on this. And, usually, this is the biggest mistake of the developers.
How reCaptcha works:
- The service asks you for two words, if he likes, then what you answered, you will be given a token.
- The token is protected by a time limiter
- After a request for verification from the site, the token is deactivated and cannot be used a second time.
It was in these last two points that the weak spot turned out to be. It is known that the service limits the token to approximately five hours. But, as I found out, reCaptcha does not store your activated token all this time, but seems to keep a block list and removes the token from it after about ten minutes of inactivity. That is, if you have not tried to activate this token again for ten minutes, then it is removed from the lock list. Thus, in five hours you can use one single token up to thirty times , the main thing is to be patient and not to jerk it before the ten-minute interval.
How to use it? Very simple! After creating 10 tokens, you can activate the action on the site every minute for five hours automatically. 300 activations in just 10 tokens. I think a very good offer. More tokens - more often activation.
Unfortunately, on reCaptcha ( Google Code ), I did not find a single word about this problem. However, there is a very simple way to protect yourself from it, it is enough to store activated tokens (recaptcha_challenge_field) on the site side for five hours. After all, the probability of issuing the exact same token during this time is almost zero.
PS Usually my posts are accompanied by a small example of the use of the vulnerability, but this time I decided that it would be simple enough to tell. The inquisitive mind% username% will be able to verify the operability of this method itself.