• Resolved Mohan Raj

    (@mohanrajnr)


    Hi Dev,

    (Sorry for my bad english)

    I am a developer and cracker. While I was in a hunt to search a reliable wordpress secure login captcha plugin I found yours. I was able to reverse engineer the numeric captcha where you save your info as a hidden field. The problem here is while I visit manually first I will ne able to calculate the answer and I will note down the hidden field values for “aiowps-captcha-string-info”, “aiowps-captcha-temp-string”. Later I will be able to hit website with the know values of captcha using a curl request to find out the username password(brute force algorithm) resulting your captcha will be totally ignored.

    ie)
    Field Value
    aiowps-captcha-string-info MTQxOTg0MzkwMTJjNG1ydjZtOXRmbW1vb3hrcmo3MTA=
    aiowps-captcha-temp-string 1419843901
    aiowps-captcha-answer 10

    I will use the above field-values to break the captcha.

    I really loved the idea of Cookie Based Brute Force Login but I when I thought of using this plugin I found a tiny loophole in captcha.

    https://www.ads-software.com/plugins/all-in-one-wp-security-and-firewall/

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi mohanrajnr thank you for reporting the loophole. One of the plugin developers will look into this issue.

    Kind regards

    Thread Starter Mohan Raj

    (@mohanrajnr)

    Thank you for swift response. Awaiting for a fix as I will be using this plugin in one of my site.

    Plugin Contributor wpsolutions

    (@wpsolutions)

    Hi and thanks for the feedback.

    In order to do what you are claiming, you will firstly need to get to the login page……but if you have one of the other features enabled (such as the cookie based brute force, rename login page or white list) how will you get past those barriers?

    The captcha we use isn’t perfect, just like other captcha methods aren’t perfect too, but it does provide a reasonable barrier against most current robots.

    The real brute force stopping power comes from one of the other features such as the cookie based brute force, rename login page or white list. Use one of these together with the captcha (or on their own) and you will find that brute force attacks like the one you mention will be very difficult to do.

    The simple numeric captcha option offered in the plugin is not suppose to be an ubreakable captcha. It is a simple and lightweight captcha system that provides another small additional barrier.

    I also have a problem with Captcha, basically the login displays the math Captcha, but then it doesn’t seem to be required. If we login without using the Captcha it just allows us to login with no error or rejected login. I do understand Captcha isn’t perfect, but this issues make it irrelevant. Please let me know if there is either a setting or if this is true issues let me know how I can help resolve.

    Plugin Contributor mbrsolution

    (@mbrsolution)

    Hi cjwallac this support thread has being marked as resolved. Can you open up a new one please.

    Thank you

    Yes thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Numeric captcha not reliable’ is closed to new replies.