“HTTP parameter pollution is almost everywhere: client-side and server-side, and the associated risk depends greatly on the context,” explained Riancho.
“When this situation occurred the attacker was able to bypass the protection every time,” Riancho said in a post on the flaw posted on Monday, adding that Github searches showed that about 60 percent of web applications with reCAPTCHA integrations have a HTTP parameter pollution. This reduces the severity of the flaw, but also leads to a 100-percent success rate. In other words, the web application would need to send verification requests to the reCAPTCHA API in an insecure way. That in turn sends its own request to the Google reCAPTCHA API, which both verifies itself as a trusted application and requests verification that the visitor solved the reCAPTCHA correctly.Īn exploit for the bypass vulnerability required an HTTP parameter pollution in the web application, according to independent app security expert Andres Riancho, who reported the bypass (and earned $500 from the Google bug-bounty program for his efforts). Once a user solves the challenge and clicks verify, the reCAPTCHA function sends an HTTP request to the web application.
The internet giant said that more than over 300 million reCAPTCHAs are solved each day.īehind the scenes, a handshake is going on. Once embedded, it determines whether to trust website visitors based on their ability to solve a simple puzzle, such as clicking on all street signs in a presented photo, solving an audio challenge, or typing in a word or number that’s presented in distorted form. Essentially, web developers can drop in a reCAPTCHA code fairly easily using Google’s API. Google has been working on refining and strengthening reCAPTCHA for years, and last year extended it to mobile websites for Android users. The news comes as Google releases a new version of reCAPTCHA in beta. Google has fixed a bypass for its reCAPTCHA authentication mechanism – the Turing test-based methodology for proving that website users aren’t robots, commonly spotted on log-in pages online.
0 kommentar(er)
