I hope this is the right forum to ask this question.
I've recently integrated reCaptcha v3 into a website I manage in order to protect the login form.
I get alot of noise from users saying that if they are in the office (and originate from the same IP) or customers who are using shared IPS (office IPs) are failing login.
For the meantime I've disabled reCaptcha by allowing score 0 to login.
My question is.. is there a built in way in reCaptcha to send Google's API information about the request or should I just add the reCaptcha score into my own calculation when allowing the login ?
Thanks !
Related
Brief Summary
Let's start with a brief introduction of what a Google reCaptcha farm is - a service that bot developers can query via an API to automate solving Google reCaptcha:
The bot is blocked by a Captcha challenge.
It makes an API call to the Captcha farm with the website’s Captcha public key & its domain name as parameters.
The Captcha farm asks one of its workers to solve the Captcha.
After ~30-45 seconds, the Captcha is solved and you obtain its response token.
The bot solves the Captcha by submitting the response token.
In short, solving a Captcha is as simple as calling a function in the bot's code. The attacker doesn't even need to interact directly with the Google reCaptcha by clicking on it. If the attackers know the structure and the URL of the Google reCaptcha callback, i.e. the request where the website sends the Google reCaptcha response token after a successful response has been submitted (which is straightforward by looking at the devtools), they can prove that they've solved a Captcha without even using a real browser.
Problem
My website is fully integrated with Google reCaptcha V2 (Invisible reCaptcha). The implementation follows all steps listed in the documentation. It worked like a charm till now. As time passed by, we experienced different kind of attacks that tried to infiltrate our login. The one the caused the biggest problem was a Dictionary attack combined with automated Google reCaptcha solving mechanism. The attackers are using farms (or may be scripts) that solve the Google reCaptcha and generate unique response codes, which are used by a bot network (different IP addresses around the world, User-Agents, Browser Fingerprints, etc.). Using these codes, the Google reCaptcha is taken out of the picture and we MUST use different mechanisms to block the attackers.
Question
I reviewed the Google reCaptcha documentation multiple times along with different topics related to this problem, but couldn't find a way to prevent such attack in an easy way. I have a few questions and will be very grateful if somebody succeeded to answer them:
Is it possible to bind the Google reCaptcha response code to a code challenge, cookie or something similar in order to ensure that the code is generated by the exact client?
Is there any way to distinguish the Google reCaptcha codes, taken from a farm/script and the ones generated by the exact client?
I found that there are some solutions as DataDome, which are very expensive. Is there something similar but on lower price or an algorithm that can be implemented on my own?
Big thanks in advance!
Script
Below is a simplification of the script that acts like a Google reCaptcha farm:
bypassReCaptcha();
function bypassReCaptcha() {
grecaptcha.render(createPlaceholder(), buildConfiguration());
grecaptcha.execute();
}
function createPlaceholder() {
document.body.innerHTML += '<div class="g-recaptcha-hacker"></div>';
return document.getElementsByClassName('g-recaptcha-hacker')[0];
}
function buildConfiguration() {
return {
size: 'invisible',
badge: 'bottomleft',
sitekey: '<your site-key>',
callback: (reCaptchaResponse) => localStorage.setItem('reCaptchaResponse', reCaptchaResponse)
};
}
I am using a server-side validation - something like this:
curl -X POST 'https://www.google.com/recaptcha/api/siteverify?secret=<your secret>&response=<generated code from above>&remoteip=<client IP address>'
It seems that the remoteip parameter is not working as expected - the validation is successful no matter of the client IP. I checked some topics and seems that this is a common problem:
Google reCAPTCHA's remoteip parameter is ignored
Is there any reason to include the remote ip when using reCaptcha?
Google is currently sending out a mass email that looks like this:
Dear Webmaster,
You are receiving this email because you are registered as a website administrator using reCAPTCHA, and your website is still using reCAPTCHA v1, which will be turned off on March 31, 2018.
We announced the reCAPTCHA v1 deprecation in May 2016. Starting in November 2017, a small percentage of reCAPTCHA v1 traffic will begin to show a notice informing users that the old API will soon be retired. Any calls to the v1 API will not work after March 31, 2018.
To ensure continued functionality, you’ll need to update your website to a current version of reCAPTCHA. You can learn more about reCAPTCHA v2, Invisible reCAPTCHA and reCAPTCHA Android API in our Developer’s Guide. The new APIs are simple to implement and will streamline the captcha experience for your users. If you need help, you can engage in the reCAPTCHA Google Developer Group or post to Stack Overflow with the ‘recaptcha’ tag.
We hope that your upgrade will be seamless, and we’re confident you’ll be happy with the results.
Thank you,
reCAPTCHA Support
For those of who have built dozens (or hundreds) of sites with ReCAPTCHA over the years, is there a simple way to identify which websites are using version 1?
This question has also been asked in the Google Developers ReCAPTCHA group (by someone else) and I will monitor answers there and post them here if they are relevant: https://groups.google.com/forum/#!topic/recaptcha/KRzmHivCtjM
You might have a look at https://www.google.com/recaptcha/admin#list. However for me all of the sites have V2 as Site Type while I got the same email as you. While checking some of the sites I noticed they were actually using reCAPTCHA v1.
One method: Browse each site and look at the very recaptcha itself:
v1 == punch in letters to complete the captcha.
v2 == select images to complete the captcha.
Could be tedious, yes, but should do the job.
I am developing a service using Google Gmail Api for Enterprise.
When testing, I noticed that the API's Rate Limit is different between google free account and gsuite account.
Does anyone know where I can find Google API Request Limits for gsuite?
A little late, but hopefully this will help someone in the future.
If you go to support.google.com and search for G Suite Administrator Help and click on the link, it will take you to the G Suit Administrator Help page. Then go to Manage Your Services and click on Gmail.
On the Gmail-Manage Gmail for your G Suite Team page currently here (https://support.google.com/a/topic/9202?hl=en&ref_topic=9197) look under the section Policies/Abuse Controls.
It lists the limits for sending, receiving and storage limits etc.
I'm trying to get people at a company to fill in a google forms survey with permissions from management.
The problem is that someone there has blocked all google features except search (I know it's crazy).
The survey is fairly large and the question format is tailored to google forms so rewriting it in a different survey system is hardly an option.
I also cannot ask them all to install a proxy or vpn.
I tried conventional proxy sites but they are viewing only eg. they can't fill in the survey.
Are there any other methods I can try to allow the people to fill in my google form survey?
thanks!
Google announced Invisible ReCAPTCHA is coming soon. For now, if you want to integrate the new reCAPTCHA to your site or app you can register here.
I do have 2 site keys whitelisted for the new Invisible reCaptcha and I've started "playing" with their examples: see them here https://developers.google.com/recaptcha/docs/invisible
Yes, when the page loads the recaptcha is invisible but when the form is submitted the recaptcha challenge appears all the time. You have to click on images, draw something around something else... etc
I've been testing this on different servers, 2 different sites which have the site key approved to use the Invisible reCaptcha, with different browsers form different locations. Same behavior: Google shows the challenge when the form is submitted on all 3 examples they have on their page.
Is this what we should expect?
Just as with the checkbox, if it can't reliably determine if you aren't a bot, you get a challenge. I can confirm that the invisible part does work when you are detected as a human.
Actually you have to approve the Terms of Service when you create a new reCAPTCHA site, that says that
You agree to explicitly inform visitors to your site that you have implemented the Invisible reCAPTCHA on your site and that their use of the Invisible reCAPTCHA is subject to the Google Privacy Policy and Terms of Use.