Domain check for Google REcaptcha-Security issue

[Harin]

HI All,

We are facing issue using recaptcha in mobile (hybrid) apps. I am getting "Invalid site" error. I am thinking of disabling domain check so that widget will be loaded in apps as well. BUT Google has mentioned it as a major security hole.

Can someone help me to understand the security risk google is referring?

Thanks,

Harin

[Jack Yasgar]

Hey Harin,

The security built into recaptcha validates that the website URL that is posting the request for captcha validation is one of the URLs that you have stated is legitimate in your dashboard. If you disable it, that means that anyone could do a simple copy of your code to another, theoretically malicious, site and it would work on that site without any changes.

As is pointed out on this group in another post, this security is relatively superficial. In my opinion it would only stop:

1. A very novice hacker

2. A bot copying files from sites en-mass for some purpose

If you disable it, that means that a hacker could setup a fake site with your pages. Then they could put an index.html page on your site that redirects users to their malicious site and the google recaptcha would not care one way or the other and still allow submissions under your account, even though the page is on a different website. The hacker could capture the user's personal data, while still allowing the page to submit back to your site and the user, as well as you, would not know the difference.

Recaptcha is not really meant to stop this kind of issue, what it is designed to do is stop non-people from submitting your forms. Having it validate the URL only makes this scenario a little more challenging for the hacker. That's why the more important part of the scenario is that you:

1. Validate that any data submitted to your site is coming from the page on your site that you hope it will be

2. That you don't allow anything to happen, including validating recaptch, if it is not 

Jack

http://www.jackyasgar.net