3

In the documentation of recaptcha (https://developers.google.com/recaptcha/docs/verify) it says that the remoteip parameter is optional, but I am trying to send a hard-coded false IP in the request and yet Google still returns a success:true response. The whole point of this parameter is to prevent a recaptcha token that was generated with third party applications or workers such as click farms and then injected into a form submission.

I honestly don't see what's wrong with my code. If someone knows if this functionality has been removed by Google, please let me know.

This was previously brought up here but whoever answered didn't understand the question the user hard: Google recaptcha remoteip explanation

You can test this yourself by creating a reCAPTCHA v2 here and replacing SITEKEY_GOES_HERE and SECRET_HERE: https://www.google.com/recaptcha/admin

{ "success": true, "challenge_ts": "2020-05-18T02:48:33Z", "hostname": "########" }

Here is my verify.php code:

<?php
    $sender_name = stripslashes($_POST["sender_name"]);
    $sender_email = stripslashes($_POST["sender_email"]);
    $sender_message = stripslashes($_POST["sender_message"]);
    $response = $_POST["g-recaptcha-response"];

    $url = 'https://www.google.com/recaptcha/api/siteverify';
    $data = array(
        'secret' => 'SECRET_HERE',
        'response' => $_POST["g-recaptcha-response"],
        'remoteip' => '123.123.123.123',
    );
    $options = array(
        'http' => array (
            'method' => 'POST',
            'content' => http_build_query($data)
        )
    );
    $context  = stream_context_create($options);
    $verify = file_get_contents($url, false, $context);
    $captcha_success=json_decode($verify);

    if ($captcha_success->success==false) {
        echo $verify;
    } else if ($captcha_success->success==true) {
        echo $verify;
    }
?>

Here is my index.html code:

<html>
  <head>
    <title>reCAPTCHA demo: Simple page</title>
    <script src="https://www.google.com/recaptcha/api.js" async defer></script>



  </head>
  <body>

  <form action="verify.php" method="post" enctype="multipart/form-data">
    <input name="sender_name" placeholder="Your Name..."/>
    <input name="sender_email" placeholder="Your email..."/>
    <textarea placeholder="Your Message..." name="sender_message"></textarea>
        <div class="captcha_wrapper">
        <div class="g-recaptcha" data-sitekey="SITEKEY_GOES_HERE"></div>
    </div>
    <button type="submit" id="send_message">Send Message!</button>
</form>


  </body>
</html>

Yes

MSG
  • 41
  • 1
  • 3
  • Just checked, I have the same problem. IP correct or false does not change anything, while I use the latest official library https://packagist.org/packages/google/recaptcha But I liked this answer https://security.stackexchange.com/a/201119 – AlexeySRG Feb 19 '22 at 19:58

0 Answers0