BUG: captcha easy to trick

  • Resolved datlicht

    (@datlicht)


    5 years, 9 months ago

    I just found a serious bug in AIOWPS Version 4.3.8.3 that just leaves me speechless.

    For the login page I activated the math captcha (Bruteforce -> Captcha), I see it on the login page and can only log in if it is solved. So far, so good.

    But if I just edit out the captcha elements in the login page elements (e.g. with firebug or Chrome developer tools) and can login without having to solve any captcha.

    This renders the captcha function absolutely useless (and btw. explains loads of mails about hack attempts on my blog).

    [EDIT] Btw. this also applies to reCAPTCHA v2

    • This topic was modified 5 years, 9 months ago by datlicht.
Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Contributor wpsolutions

    (@wpsolutions)

    Hi,
    Thanks for the feedback. I am looking into this – will get back to you tomorrow.

    explains loads of mails about hack attempts on my blog

    Maybe not. I think this could be due to attempts on your xmlrpc.php file.
    Have you blocked access to that file?

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Update: I found the bug and fixed it. Plugin update will be released very soon.

    Thread Starter datlicht

    (@datlicht)

    > xplains loads of mails about hack attempts on my blog

    > Maybe not. I think this could be due to attempts on your xmlrpc.php file.
    > Have you blocked access to that file?

    Yep. It looks like that someone has a dozen of virtual machines or cloud computers and distributes his login trials over his network. I currently receive about 50-80 notification emails per day that some IPs have been blocked due to invalid credentials. Ah, and they’re not always the same IPs, that would be too easy to ban them. Of course.

    But I think that will be cut down if the captch is fixed ??

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi,

    You can also improve your protection by enabling the following feature Enable Rename Login Page Feature if you have not already done so. This is located in WP Security -> Brute Force -> Rename Login Page.

    Kind regards

    • This reply was modified 5 years, 9 months ago by mbrsolution.
    • This reply was modified 5 years, 9 months ago by mbrsolution.
    Thread Starter datlicht

    (@datlicht)

    Yes and no. I’m currently using the plugin “Theme My Login” as I want to display a legal disclaimer on the login screen.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘BUG: captcha easy to trick’ is closed to new replies.