Vulnerability in reCaptcha allows you to activate up to 30 actions on the same token
I thought for a long time whether it was worth telling, but last night I had some free time, and I nevertheless decided to continue my series of articles about small problems in large projects. Yes, and perhaps this is already known to everyone, and I worry for nothing.
We all know the reCaptcha service that Google acquired a couple of years ago. We see it in many large projects, for example, when registering with LiveJournal . I must say that I like to download files in the list directly from my server, and when on one of the sites from which I occasionally download something, such a thing appeared, it became a bit annoying to me. When I don’t like something, I don’t give up and try to think of a way to avoid it.
So I decided to overcome reCaptcha and I think I did it ...
Starting the analysis, first of all, I ask myself questions. What is the biggest problem of such a large project? Most likely, this storage of a very large amount of unnecessary information, statuses and actions. ReCaptcha must create a token, check it and deactivate it.
')
If the first two actions can be replaced by encryption (without storage), then deactivating is a bit more complicated. And the service must perform its "main" function of scanning documents. Where does all this store? I'd like to save on this. And, usually, this is the biggest mistake of developers.
How reCaptcha works:
It was in these last two points that the weak spot turned out to be. It is known that the service limits the effect of the token to about five hours. But, as I found out, reCaptcha does not store your activated token all this time, but it seems to keep the lock list and remove the token from it after about ten minutes of inactivity. That is, if you did not try to activate this token again for ten minutes, it will be removed from the blocking list. Thus, in five hours one single token can be used up to thirty times , the main thing here is to be patient and not pull it before the ten-minute interval.
How to use it? Very simple! By creating 10 tokens, you can activate the action on the site every minute for five hours automatically. 300 activations in just 10 tokens. I think a very good offer. More tokens - more often activation.
Unfortunately, on the site reCaptcha ( Google Code ) I have not found a single word about this problem. However, there is a very simple way to protect against it, it’s enough to store activated tokens (recaptcha_challenge_field) on the site side for five hours. After all, the probability of issuing exactly the same token during this time is almost zero.
PS Usually my posts are accompanied by a small example of the use of vulnerabilities, but this time I decided that it would be enough just to tell. Inquisitive mind% username% will be able to test the performance of this method.
We all know the reCaptcha service that Google acquired a couple of years ago. We see it in many large projects, for example, when registering with LiveJournal . I must say that I like to download files in the list directly from my server, and when on one of the sites from which I occasionally download something, such a thing appeared, it became a bit annoying to me. When I don’t like something, I don’t give up and try to think of a way to avoid it.
So I decided to overcome reCaptcha and I think I did it ...
Starting the analysis, first of all, I ask myself questions. What is the biggest problem of such a large project? Most likely, this storage of a very large amount of unnecessary information, statuses and actions. ReCaptcha must create a token, check it and deactivate it.
')
If the first two actions can be replaced by encryption (without storage), then deactivating is a bit more complicated. And the service must perform its "main" function of scanning documents. Where does all this store? I'd like to save on this. And, usually, this is the biggest mistake of developers.
How reCaptcha works:
- The service asks you for two words, if he likes, what you have answered, you are given a token.
- Time limiter sewn into token
- After a request for verification from the site, the token is deactivated and cannot be used a second time.
It was in these last two points that the weak spot turned out to be. It is known that the service limits the effect of the token to about five hours. But, as I found out, reCaptcha does not store your activated token all this time, but it seems to keep the lock list and remove the token from it after about ten minutes of inactivity. That is, if you did not try to activate this token again for ten minutes, it will be removed from the blocking list. Thus, in five hours one single token can be used up to thirty times , the main thing here is to be patient and not pull it before the ten-minute interval.
How to use it? Very simple! By creating 10 tokens, you can activate the action on the site every minute for five hours automatically. 300 activations in just 10 tokens. I think a very good offer. More tokens - more often activation.
Unfortunately, on the site reCaptcha ( Google Code ) I have not found a single word about this problem. However, there is a very simple way to protect against it, it’s enough to store activated tokens (recaptcha_challenge_field) on the site side for five hours. After all, the probability of issuing exactly the same token during this time is almost zero.
PS Usually my posts are accompanied by a small example of the use of vulnerabilities, but this time I decided that it would be enough just to tell. Inquisitive mind% username% will be able to test the performance of this method.
Source: https://habr.com/ru/post/120265/
All Articles