reCaptcha valid if first word is correct

Question

I am implementing reCaptcha in my MVC project as follows.

    [HttpPost]
    [ValidateAntiForgeryToken]
    [RecaptchaControlMvc.CaptchaValidatorAttribute]
    public ActionResult Index(IndexTemp indextemp, bool captchaValid)
    {
        if (!captchaValid)
        {
            ModelState.AddModelError("", "You did not type the verification word correctly. Please try again.");
        }

        if (ModelState.IsValid)
        {
            // do stuff here
        }
    }

And in Web.config I have the following.

<add key="ReCaptchaPrivateKey" value="some_key"/>
<add key="ReCaptchaPublicKey" value="another_key"/>

I got reCaptcha from here.

I noticed that reCaptcha does not always work as expected (i.e. sometimes it validates when the words entered are invalid). After a bit of testing I noticed that as long as you enter the first word correctly it will always be valid!

Any ideas?

Answer 1

This answer was helpful: reCAPTCHA authenticates as valid even for two incorrect words

From reCaptcha wiki:

reCAPTCHA consists of two words: a verification word, to which the reCAPTCHA server knows the answer and a read word which comes from an old book. The read word is not graded (since the server is using human guesses to figure out the answer). As such, this word can be entered incorrectly, and the CAPTCHA will still be valid. Each read word is sent to multiple people, so incorrect solutions will not affect the output of reCAPTCHA.

On the verification word, reCAPTCHA intentionally allows an "off by one" error depending on how much we trust the user giving the solution. This increases the user experience without impacting security. reCAPTCHA engineers monitor this functionality for abuse.