reCAPTCHA authenticates as valid even for two inco

2019-04-27 13:12发布

问题:

Just to give a background for my question, I am using Vanilla Forums for a website I run. Vanilla Forums comes with baked-in support for using reCAPTCHA to authenticate new registrations on the website, which I have enabled. Recently on my forum, however, I have seen a spike in spam registrations (obvious 'spammy' usernames, same email address used, et al.)

I looked into this to try to see how spambots could be getting past the reCAPTCHA verification. I know that in reCAPTCHA, one of the words is known by the system and the other isn't, so it is possible that a form submit might validate even if one incorrect word is entered.

So I tried out a couple of things on the registration form on my site, by entering invalid reCAPTCHA inputs. I found that...

  • If the number of characters entered per word is correct
  • The answer response entered for BOTH words is entered correctly EXCEPT FOR by one character

...no reCAPTCHA error is thrown.

I don't think this issue is isolated to Vanilla Forum either. When you go the the demo page for reCAPTCHA, try this yourself. Enter two words, correct number of characters, but the words themselves off by one character - with 'similar' looking characters (like, an 'a' instead of a 'd', 'v' instead of 'w'.)

Is there something wrong with Vanilla's implementation of reCAPTCHA or is this a known issue with reCAPTCHA itself? (You can test Vanilla's registration form here.)

Possibly related: Has reCaptcha been cracked / hacked / OCR'd / defeated / broken?

回答1:

Just found the answer in the reCAPTCHA wiki:

On the verification word, reCAPTCHA intentionally allows an "off by one" error depending on how much we trust the user giving the solution. This increases the user experience without impacting security. reCAPTCHA engineers monitor this functionality for abuse.