10

Wanting to go a step further into reducing the attacking surface from my "register new user" form I think on using reCAPTCHA (the one Google offers).

Having bots sorted out from being able to register and hence not being able to easily break my website seems good. And to what I understand reCATPCHA helps with keeping automated things from using my register form.

Anyway I started wondering. If the attackers had the consent of Google (which I use to determine the "attacker is a bot"-attribute), then there seems no way the Google reCAPTCHA can stop bots anymore.

In essence: If I import the Google reCAPTCHA feature into my protection-system for my website it will only protect against to the extend

  1. that reCAPTCHA itself cannot be bot-answered
  2. Google does not allow some bot to cheat.

Is my assumption true that importing something as reCAPTCHA functionality already opens potential doors for Google and their partners?

So Google reCAPTCHA can be bypassed by Google, right?

Update and further information

The assumption chance for cheating possible with Google's reCAPTCHA product seems even worse now that I know that to get it to work you actually need to include a Google JavaScript into your website. Perfect to potentially infringe the form data privacy of your users. At least if I am not wrong this is even a worse change for cheating, then the initially worry I had about circumventing a bot attack.

At a further look, when logging in to the StackExchange Q&A network there is yet another Google JavaScript; ajax.googleapis.com is loaded into the website. So if Google wanted to cheat… even here is plenty of chance :-(

Community
  • 1
humanityANDpeace
  • 1,412
  • 1
  • 12
  • 24
  • “[Y]ou actually need to include a Google JavaScript into your website” – Google has JavaScript running on most(!) web sites: [Google Analytics](http://w3techs.com/technologies/details/ta-googleanalytics/all/all), [Ads](http://w3techs.com/technologies/details/ad-google/all/all) and their [JavaScript libraries CDN `ajax.googleapis.com`](http://w3techs.com/technologies/details/cd-googlelibraries/all/all) (and of course [reCAPTCHA](https://wappalyzer.com/applications/recaptcha)). If you just look at Analytics it's already used at **almost 50 per cent** of all web sites. – user2428118 Mar 13 '14 at 11:31
  • 2
    As a side note: Google captcha allows Google users to cheat if they're signed in (here's a GIF with this: http://img.pr0gramm.com/2014/01/1389638757279.gif) – Evgeniy Chekan Mar 13 '14 at 11:34
  • @user2428118 right, this saddly is so. IMHO too much use of this cross origin included javascripts. Also this dominance hits much on the accepted answers suggestion (1) "Google would not cheat because of reputation as". The more occurences of google included javascript the harder it is to survey them all. On the bright side, as long as you still script-tag-include you did not eval the code secretly inside of your javascript and users can guard themselves with NoScript and alike. – humanityANDpeace Mar 13 '14 at 16:41

1 Answers1

18

Yes, you are correct. The administrators running reCAPTCHA could request a CAPTCHA from your site and then perform a look-up to see which CAPTCHA was generated for your site and therefore the expected string which validates.

The trade-off is that 1) they are probably trustworthy not to be doing this because of the potential damage to reputation if/when caught and 2), it's still probably better than you could implement yourself.

deed02392
  • 4,038
  • 1
  • 18
  • 20
  • 3
    thanks for the answer. I figured that Google only offer its shitty "include our javascript code into your website" version of reCAPTCHA. This puts the cherry on the top. I cannot use reCAPTCHA without allowing actually google servers to sniff (via javascript) the form data of my users NOGO. So in essence it cannot protect against bots if desired by google. And worse it can even XSS your website users! great product. I love google – humanityANDpeace Mar 12 '14 at 10:21
  • 1
    regarding your trade-off "1) trustworthy because fear of reputation loss when caught". That would make a good point that they will not overstress their cheating power potential. Yet for TAO it would be a handy tool, that a reCAPTCHA adds another entry hook. And TAO is not specific so the risk of discovery & rep loss is minimal. – humanityANDpeace Mar 12 '14 at 14:03