CAPTCHA and reCAPTCHA are an ever-present component on any website that requires user interaction. But the risks of embedding CAPTCHA/reCAPTCHA plugins on a website can outweigh the benefits. Flawed code can increase the threat of client-side attacks.
Who hasn’t encountered a CAPTCHA? You know what we’re talking about…those annoying website challenge tests that ask you to prove you’re a human (and not a bot) by picking out all the photos of traffic lights from a series of pictures or by entering a sequence of incredibly difficult-to-read letters or numbers into a data entry box.
Designed originally to prevent internet bots and spammers from manipulating website comment sections, digital polling, and forms, CAPTCHA (which stands for Completely Automated Public Turing tests to tell Computers and Humans Apart) has always had problems, ranging from accessibility concerns to slowed user website interaction, reduced conversion rates, and even lost profits.
And, of course, with advances in artificial intelligence (AI), bots can pretty much circumvent what little protection CAPTCHA and reCAPTCHA may offer.
So why bother with CAPTCHAs?
Well, the short answer is that you probably shouldn’t, as they may not be worth the hassle.
The problem with CAPTCHAs
Issues with the CAPTCHA system became apparent pretty early in their evolution. Visually impaired users couldn’t easily interpret the letter/number sequences and thus were blocked from accessing websites. And for users with no vision loss, the jumble of distorted letters and numbers still often eluded interpretation. The latest rendition of the CAPTCHA (called reCAPTCHA), which contains everything from small and blurry images of boats and motorcycles to large, divided images of crosswalks and traffic lights, have only served to frustrate users due to the time it takes to complete the test. Studies have demonstrated that CAPTCHAs:
- Make users more likely to leave the page rather than filling out the CAPTCHA and continuing to the next step.
- Are difficult to use on mobile devices. In fact, one study found that mobile users were 27% less likely to complete a CAPTCHA than desktop users.
- May reduce lead generation by at least 12%.
- Are difficult for users to complete. As many as 40% of users fail the CAPTCHA on their first try.
CAPTCHAs can contribute to client-side attacks
In addition to the issues associated with user frustration and disengagement, CAPTCHA technology can also contribute to client-side website attacks. CAPTCHA plugins can be easily obtained through WordPress libraries or depositories like GitHub, and unfortunately, like any code, these plugins will contain vulnerabilities, particularly if the code comes from a third- or fourth-party source. A recent search of the MITRE CVE database found at least 10 vulnerabilities related to reCAPTCHA and 85 vulnerabilities related to CAPTCHA . Exploitable issues included cross-site scripting (XSS), cross-site request forgery, SQL injection, brute-force protection bypass, and arbitrary web scripts execution.
CAPTCHA & cross-site scripting (XSS)
One of the most common threats found among the CAPTCHA vulnerabilities listed on the MITRE CVE database is cross-site scripting, which involves injecting malicious code directly into websites, to give attackers access to data on an end user’s browser, such as cookies, session tokens, and sensitive identity information. One of the easiest ways to inject malicious code is through existing vulnerabilities—like those contained in CAPTCHA plugins.
Protection from client-side vulnerabilities
Security practitioners increasingly recommend that organizations move to CAPTCHA alternatives, such as honeypots. If an organization has no choice but to use CAPTCHA technology on a website, then security tools that continuously monitor, inspect, and scan websites should be employed to help minimize attack risk.
