27Ağu
My reCAPTCHA got bypassed
About a year ago, my reCAPTCHA for creating uers seemed to get completely bypassed by a hacker, who created thousands of users in a small time frame, here are checks I did:
- I reviewed all the queries that insert new entries into my database and found that only one function is responsible for creating an account. This function is called exclusively by the account creation endpoint, which is secured by reCAPTCHA.
- I experimented with sending unusual reCAPTCHA values (such as reusing a token, not sending it at all, sending null, etc.).
Additional information:
- I use reCAPTCHA v2.
- The hacker created around 15,000 users in 1 week.
- I use:
react-native-recaptcha-that-works
package to use it on my react native app. - When the attack happened, I used to use the
Easiest for users
option for reCAPTCHA v2.
What other tests do you suggest that I do?