6

Just to give a background for my question, I am using Vanilla Forums for a website I run. Vanilla Forums comes with baked-in support for using reCAPTCHA to authenticate new registrations on the website, which I have enabled. Recently on my forum, however, I have seen a spike in spam registrations (obvious 'spammy' usernames, same email address used, et al.)

I looked into this to try to see how spambots could be getting past the reCAPTCHA verification. I know that in reCAPTCHA, one of the words is known by the system and the other isn't, so it is possible that a form submit might validate even if one incorrect word is entered.

So I tried out a couple of things on the registration form on my site, by entering invalid reCAPTCHA inputs. I found that...

  • If the number of characters entered per word is correct
  • The answer response entered for BOTH words is entered correctly EXCEPT FOR by one character

...no reCAPTCHA error is thrown.

I don't think this issue is isolated to Vanilla Forum either. When you go the the demo page for reCAPTCHA, try this yourself. Enter two words, correct number of characters, but the words themselves off by one character - with 'similar' looking characters (like, an 'a' instead of a 'd', 'v' instead of 'w'.)

Is there something wrong with Vanilla's implementation of reCAPTCHA or is this a known issue with reCAPTCHA itself? (You can test Vanilla's registration form here.)

Possibly related: Has reCaptcha been cracked / hacked / OCR'd / defeated / broken?

Community
  • 1
  • 1
Ankur Banerjee
  • 768
  • 1
  • 11
  • 24
  • I have experienced same behavior and at times it can be more than two characters or even one less character – Syed Ali May 15 '14 at 17:03

1 Answers1

11

Just found the answer in the reCAPTCHA wiki:

On the verification word, reCAPTCHA intentionally allows an "off by one" error depending on how much we trust the user giving the solution. This increases the user experience without impacting security. reCAPTCHA engineers monitor this functionality for abuse.

Ankur Banerjee
  • 768
  • 1
  • 11
  • 24
  • That link doesn't work. I couldn't find any wiki.recaptcha.net website. Wouldn't all the documentation be on Google now that Google bought reCAPTCHA from Carnegie-Mellon. – Ellie Kesselman Oct 16 '11 at 02:33
  • @FeralOink: Updated to change it to a Wayback Machine cache of the page. I can't find equivalent documentation on reCAPTCHA site any more. – Ankur Banerjee Oct 18 '11 at 10:24
  • +1 Thank you! It is unfortunate that the reCAPTCHA wiki site went off-line. A real loss, as it had so much good information, given the many references I have seen on SE alone. FYI, at least the reCAPTCHA Google group remains online and active (the wiki mentioned it): http://groups.google.com/group/recaptcha?hl=en – Ellie Kesselman Oct 18 '11 at 14:53