Why bother validating the hostname for a Google Recaptcha response?

It may have something to do with people embedding your captchas on a site they set up, and using the solved captchas to spam your site.

For example, set up a site and give something for free (pirated movies/software, porn, etc) but ask for the captcha. Internally this is actually your captcha, and any solved captcha is passed down to a spambot targeting your site. This gives an attacker cost-efficient access to human captcha solving compared to the conventional captcha farms.

The hostname validation would prevent the captcha's JS from loading on an unauthorized site.

Update: I've recently implemented a demo of bypassing this by rendering the captcha on the original site in a headless browser and then using Websocket magic to stream it on my "bait" site (in this case a simple URL shortener that asks for the captcha before redirecting to the target site). This required considerable amounts of RAM (each Firefox instance was about 500MB) compared to the equivalent of rendering the captcha directly on the bait site, so this hostname verification feature is definitely a major pain for spammers.


There are two keys. The Site Key and the Secret Key. Both of these are given to the web admin when setting up reCAPTCHA.

For client side integration, they will give you the api.js and snippet, and site key to insert on the website.

"When your users submit the form where you integrated reCAPTCHA, you'll get as part of the payload a string with the name "g-recaptcha-response". In order to check whether Google has verified that user, send a GET request with these parameters:" <- so if I'm spoofing the url, your server never gets the g-recaptcha-response. The secret is never sent, the value of the 'g-recaptcha-response' is never sent, and the remote ip is never sent.

I'm missing how the hacker is obtaining the Secret Key from the web server. That would only ever be sent directly to google.

------ Extra explanation of what I'm seeing.

The Site Key is easily seen in the html code on your site. However the Secret Key stored on your server can not be accessed or spoofed. I don't know how the hacker would be gaining access to the secret key to complete the two way authentication with google.

I think this is what you are missing. ( the two way authentication )

Refrences: https://www.youtube.com/watch?v=Fvt1S0nBmwQ (video on setting up google reCAPTCHA.

https://developers.google.com/recaptcha/docs/verify

Also: google reCAPTCHA exploits, there are some very interesting insecurities involving embedding someone else's reCAPTCHA in a website to automatically authenticate when they click anywhere on a page.

(reputation is to low to post more than 2 links)

Tags:

Validation