Your implementation of Google Recaptcha v3 is completely broken

  • Resolved php4fan

    (@php4fan)


    5 days, 4 hours ago

    We had this plugin installed on several blogs we manage, configured to use Google Recaptcha v3, and enabled on the Comment form among others.

    Despite that, we were getting dozens of spam comments every day, clearly by bots, so I started to investigate, because Google Recaptcha v3 isn’t usually that bad and this didn’t seem normal.


    First I looked at the settings and I was expecting to find a configurable threshold for the score. For those who don’t know (which apparently includes the authors of this plugin), Google Recaptcha v3 works by assigning a score between 0.0 and 0.1 to each submission, where 0 means most likely to be a bot, and 1 means most likely to be a human. It’s not like Recaptcha v2 which directly gives you a verdict (“this is a bot” vs “this is a human”). It gives you a score that represents the likelihood of the user being a human, and you are supposed to decide what to do with it.

    When you verify the user’s submission on the server side by contacting Google’s server, you get a response that includes this score, and you are supposed to decide, based on this score, what to do with the submission. The easiest and probably most common thing to do is to compare the score to a given threshold, e.g. 0.5, and reject the submission as spam if the score is below the threshold, and accept it as valid if above.

    So, as I was saying, I noticed that the plugin doesn’t have a setting for the score threshold, and I thought that’s strange, but maybe they use a hard-coded threshold. So I thought I’d have a look at the source code and see what’s going on.

    To my surprise, there is no occurrence of the string “score” in the source code.

    The relevant code in the plugin that verifies the submission on the server side is in the file libs/functions.php:

    if (!isset($_POST['g-recaptcha-response']) || empty($_POST['g-recaptcha-response'])) { // phpcs:ignore
        return new WP_Error('wpcaptcha_recaptchav3_not_submitted', __("<strong>ERROR</strong>: reCAPTCHA verification failed.<br /><br />Please try again.", 'advanced-google-recaptcha'));
    } else {

        $secret = $options['captcha_secret_key'];
        $response = wp_remote_get('https://www.google.com/recaptcha/api/siteverify?secret=' . $secret . '&response=' . sanitize_text_field(wp_unslash($_POST['g-recaptcha-response']))); // phpcs:ignore
        if (is_wp_error($response)) {
            return new WP_Error('wpcaptcha_recaptchav3_failed', __("<strong>ERROR</strong>: reCAPTCHA verification request failed<br /><br />", 'advanced-google-recaptcha') . $response->get_error_message());
        }
        $response = json_decode($response['body']);

        if ($response->success) {
            return true;
        } else {
            return new WP_Error('wpcaptcha_recaptchav3_failed', __("<strong>ERROR</strong>: reCAPTCHA verification failed.<br /><br />Please try again.", 'advanced-google-recaptcha'));
        }
    }

    Note in particular this:

    if ($response->success) {
        return true;
    } else {
        return new WP_Error('wpcaptcha_recaptchav3_failed', /*.....*/);
    }

    This would be correct for Google Recaptcha v2, but in v3 “success” doesn’t mean “this submission is from a human”. It barely means that there wasn’t any egregious errors such as an invalid or missing token or something.

    This basically means that the plugin lets through any submission, regardless of the score given by Google. Even if Google returns a score of ZERO, meaning the user is 100% a bot, the plugin will let it pass.

    No wonder we were getting tons of spam. Having this plugin is almost like having no recaptcha at all.

    The only thing this blocks is bots that don’t run javascript, and little more.

    I don’t understand how such a fundamentally broken plugin that doesn’t do the most basic task it’s designed to do, can have 100k+ downloads. I guess people just assume Google Recaptcha v3 is that ineffective. Or maybe many people are still using v2 or other recaptcha providers (assuming those are implemented properly).

    Oh, and all of this was before the latest update. With version 1.23, there’s a javascript error that trigger a recaptcha error systematically, rejecting ALL submissions (bots _and_ humans). I can only imagine the fun if you have enabled recaptcha on the login page. But I see there are already several other topics about that one.

    I immediately uninstalled the plugin and installed another one, which does implement Google Recaptcha v3 correctly.

Viewing 1 replies (of 1 total)
  • Plugin Author WebFactory

    (@webfactory)

    Thank you for all the details, we’ll make sure to fix the bug. Glad to see you found a plugin that better suits your needs. That’s the true power of the Repo.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.