Google fixes reCAPTCHA bypass

reCAPTCHA is a well-known system designed to stop bots and spammers in their tracks. Recently, however, a cybersecurity flaw was discovered that allowed an attacker to circumvent it. Google has since fixed the problem.

reCAPTCHA uses a system of puzzles that are very easily solvable by a human being, but at the same time, very challenging for bots and automated programs to complete. The point of these puzzles is to make you prove that you are a legitimate user and not a spammer or a robot.

However, reCAPTCHA is not bulletproof; Andres Riancho, a cybersecurity researcher, managed to identify a vulnerability that attackers could use to bypass these checks successfully every single time.

Upon successfully solving an image puzzle, the system triggers a HTTP request. However, due to a phenomenon known as HTTP pollution, the process of supplying multiple HTTP parameters at the same time, it was possible to create a bypass exploit.

Allegedly, the bug was reported to Google on the 29th of January this year. However, Google did not seem to acknowledge the vulnerability at first, which caused the researcher to ask Google to re-read the vulnerability report one more time. Upon requesting additional information, they were able to confirm the bug two days later.

The researcher was awarded $500 for his efforts, all of which was donated to charity. The fix has already been implemented in Google’s REST API and there’s no need for you to do anything on your part.