Google has resolved a security vulnerability in reCAPTCHA which allowed threat actors to bypass the system.
ReCAPTCHA is a free offering from Google to protect webmasters against robots and bots designed to propagate spam and abuse online services.
Based on the Turing Test, reCAPTCHA uses puzzles or logic cases which humans pass in order to prove they are not bots. However, it may also trust website visitors based on their cookies.
ReCAPTCHA is not foolproof and in some cases, it can be bypassed. However, according to security researcher Andres Riancho, a vulnerability existed which allowed the protections to be circumvented every time.
Riancho said in a blog post on Monday that the bypass required the web application using reCAPTCHA to craft a request to /recaptcha/api/siteverify in an insecure manner.
The web application authenticates itself through a "secret" parameter and a "reCAPTCHA-generated-hash" parameter to query responses. This response is then verified by Google's reCAPTCHA API.
However, when HTTP parameter pollution is introduced -- the supply of multiple HTTP parameters with the same name -- a bypass exploit is created.
"If the application was vulnerable to HTTP parameter pollution and the URL was constructed by appending the response parameter before the secret then an attacker was able to bypass the reCAPTCHA verification," the researcher said.
The bug was reported to Google on 29 January. However, the tech giant's response was not quite what Riancho expected, as the company simply pointed the researcher to an explanation page which claimed, "reCAPTCHA was working exactly as designed."
The page reads:
"Every now and then we receive reports mentioning that a reCAPTCHA challenge that's presented to the users in various places (e.g. when creating a Google account) can be occasionally bypassed and accepts even invalid answers to a challenge.
For example, when users type invalid words, or select different images, they still pass the challenge. While this behavior might be surprising, it's actually working as intended, and a technically interesting product feature of reCAPTCHA."
As Riancho's findings were based on an exploit which could bypass reCAPTCHA mechanisms every time, the researcher asked Google to re-read the vulnerability report.
By 31 January, Google had requested additional information, and only 24 hours later confirmed the bug.
On 15 February, Google awarded the researcher $500 which was donated to charity, and a patch to resolve the flaw was released on 25 March.
The security issue was fixed at the level of Google's reCAPTCHA API and so no fixes are necessary for individual web applications.
"Google decided to fix this issue in their REST API, and I believe it was a wise move," Riancho added. "Their fix is simple: If the HTTP request to /recaptcha/api/siteverify contains two parameters with the same name, then [it] return[s] an error. Fixing it this way they are protecting the applications which are vulnerable to the HTTP Parameter Pollution and the reCAPTCHA bypass, without requiring them to apply any patches."