CiviCRM reCAPTCHA Util not validating user tokens on form submission
Overview
CiviCRM's ReCAPTCHA utility class does not verify user tokens on form submission.
It seems that core's implementation of ReCAPTCHA has not been verifying user reCAPTCHA tokens since a commit made in 2015.
Current behaviour
The function CRM_Utils_ReCAPTCHA::add()
in CRM/Utils/ReCAPTCHA.php does two things to validate a reCAPTCHA submission:
- Register a Rule to use
CRM_Utils_ReCAPTCHA::validate
as a callback function - Check the form input
g-recaptcha-response
has a value
The function CRM_Utils_ReCAPTCHA::validate()
doesn't exist. @seamuslee did some digging and found the function was removed in this commit as part of the work done on this issue.
Expected behaviour
Google's reCAPTCHA documentation states that user tokens should be verified within two minutes via API to prevent replay attacks.
The request should be to a POST to https://www.google.com/recaptcha/api/siteverify containing the site's reCAPTCHA secret, the user token and optionally the user's IP address.
It seems to me that the CRM_Utils_ReCAPTCHA::validate()
function needs to be reinstated.
Context
Our site has been hit by credit card scammers who stepped around reCAPTCHA v2 Checkbox consistently. I checked our Google reCAPTCHA console and found these two statements:
- 0% suspicious cases
- "We detected that your site is not verifying reCAPTCHA solutions. This is required for the proper use of reCAPTCHA on your site. Please see our developer site for more information."