Parameter pollution rendered bot detection service useless

Google has fixed a bug in reCAPTCHA, the free service designed to protect websites from spam and abuse, after a researcher discovered that its security protections could be bypassed.

Launched in 2007, reCAPTCHA is a widely-used service that helps prevent spam bots and other abusive internet activity.

Over the past 10 years, the service has received many improvements. The current version shuns the traditional word-typing challenge in favor of a risk-based system which asks some users to select one or more images from a set, as it attempts to distinguish humans from bots.

In a blog post published earlier this week, Argentinean security researcher Andrés Riancho found that reCAPTCHA’s security provisions could be bypassed if certain attack requirements are met.

“The bypass required the web application using reCAPTCHA to craft the request to /recaptcha/api/siteverify in an insecure way,” Riancho said. “But when this situation occurred, the attacker was able to bypass the protection every time.”

“If the application was vulnerable to HTTP parameter pollution and the URL was constructed by appending the response parameter before the secret, then an attacker was able to bypass the reCAPTCHA verification.”

Discussing the potential impact of the bug, the researcher told The Daily Swig: “Prior to the fix it was possible to bypass reCAPTCHA on affected sites in a 100% effective way.

“An attacker would have been able to circumvent this protection and perform thousands of automated requests on a login form to brute-force user credentials.”

After initially contesting the validity of Riancho’s vulnerability disclosure, Google has now fixed the issue upstream at the reCAPTCHA API, meaning no modifications are required to the affected web applications.

“Fixing it this way they are protecting the applications which are vulnerable to the HTTP Parameter Pollution and the reCAPTCHA bypass, without requiring them to apply any patches,” Riancho said.