CiviCRM reCAPTCHA Util not validating user tokens on form submission
CiviCRM's ReCAPTCHA utility class does not verify user tokens on form submission.
It seems that core's implementation of ReCAPTCHA has not been verifying user reCAPTCHA tokens since a commit made in 2015.
CRM_Utils_ReCAPTCHA::add() in CRM/Utils/ReCAPTCHA.php does two things to validate a reCAPTCHA submission:
- Register a Rule to use
CRM_Utils_ReCAPTCHA::validateas a callback function
- Check the form input
g-recaptcha-responsehas a value
Google's reCAPTCHA documentation states that user tokens should be verified within two minutes via API to prevent replay attacks.
The request should be to a POST to https://www.google.com/recaptcha/api/siteverify containing the site's reCAPTCHA secret, the user token and optionally the user's IP address.
It seems to me that the
CRM_Utils_ReCAPTCHA::validate() function needs to be reinstated.
Our site has been hit by credit card scammers who stepped around reCAPTCHA v2 Checkbox consistently. I checked our Google reCAPTCHA console and found these two statements:
- 0% suspicious cases
- "We detected that your site is not verifying reCAPTCHA solutions. This is required for the proper use of reCAPTCHA on your site. Please see our developer site for more information."