Recaptcha can be bypassed

  • Resolved arthurdaly

    (@arthurdaly)


    6 years, 6 months ago

    I’ve been using the Recaptcha on a login form to prevent bots from repeatedly attempting to login. Mostly this has worked well, but it’s not ideal for everyday use. After implementing the Recaptcha I noticed that some attempts were getting past the Recaptcha. After doing some research, my theory is that if the Recaptcha is solved on the first attempt, a cookie will be stored, and the user will be free to make further attempts without the need to resolve the Recaptcha. This is despite the fact that the login attempt has failed.
    Ideally I’d like to have the Recaptcha work in the following way:
    1. Recaptcha would only display on the login form after a failed login attempt
    2. Recaptcha would continue to display unless a login attempt was successful
    3. After x failed attempts the user’s IP would be blacklisted.

    It seems that the core function of the Recaptcha should be to prevent bots, and if a single solving can enable the bot to proceed, then the Recaptcha isn’t really doing its job. From testing the recaptcha on the page it seems to work correctly in the form. It’s possible that the script is able to disable or bypass it. I’m assuming it’s being solved manually and then a login script is being run. If you can provide any support in regards to how to make the above changes, it’d be much appreciated.

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Recaptcha can be bypassed’ is closed to new replies.