25

I am implementing Google's reCaptcha in my app. According to the documentation, my API request must include my secret key and the response, and optionally the user's remote ip.

For what reasons would I include the remote ip?

Mooseman
  • 395
  • 1
  • 3
  • 9

5 Answers5

16

Because there could be a DNS/hosts reroute in place to allow the captcha to be parsed differently by a malicious user

One possible scenario is farming cheap labour to manually solve captchas and then submit them back with the form. Since the recaptcha only will serve the image once this is the lazy way to farm this out. ( redirect the requested image to elsewhere ).

If the IP address which requests the image is different to the IP address that requests the page then this would indicate this style of attack.

Damian Nikodem
  • 769
  • 4
  • 8
4

When I compare my "scores" with different scenario, I see this:

  1. without remoteip: variable scores between 0.7 and 0.9
  2. With "good" remoteip: almost always 0.9.
  3. with "wrong" remoteip: almost always 0.7.

I'm not sure if this test will always give the same results, but that's the results I got today by testing it several times.

So, providing the ip helps get a better score, it's a double-check from client-side and server-side that can help detecting bad activity.

foxontherock
  • 141
  • 2
4

In some cases the past Google has refused requests without the remote ip. Later, they would take any string including a blank string. Now it seems optional. I imagine they are asking for the i.p to help with security both for your purposes, and to help prevent abuse of the API. The current docs mark it as optional, so feel free to omit it if you'd like.

https://developers.google.com/recaptcha/docs/verify

Here is a Google Groups post from 2010, where Recaptcha support implies that the remoteip may someday become mandatory:

https://groups.google.com/forum/#!topic/recaptcha/Q83LJKz4biA

Doesn't seem like it has happened. but it looks like they were considering making it mandatory at one time, and didn't go through with it. That's pure speculation on my part.

MrSynAckSter
  • 2,020
  • 10
  • 16
  • 1
    But *how* would my provision of the remote ip help security? – Mooseman Feb 17 '15 at 20:13
  • They might be using it to make sure you aren't abusing the Captcha system (running buts against to learn to beat it.) They might be trying to ban flagged bots. That kind of thing. – MrSynAckSter Feb 17 '15 at 20:18
4

There is another reason - a lot of internal networks use recaptcha too - like on WiFi hotspots, and things like that.

In these circumstances, Google sees both the user and server's IP as the same, since they share the same connection. Giving Google the user's local IP allows the risk-assesment machine to do a better job of tracking individuals who are bruteforcing the picture-selection, which otherwise would blacklist ALL users.

< tinfoil> Also Google wants your data but can't always justify why < /tinfoil>

J.J
  • 775
  • 1
  • 4
  • 6
-1

IP addresses can be allocated to countries. If someone from say Africa tries to enter a form in Canada on a website dedicated to supplying products in Canada, google might flag this as an anomaly to reduce the score.

Sorry I was referring to Google reCaptcha v3 which states

"reCAPTCHA uses an advanced risk analysis engine and adaptive challenges to keep malicious software from engaging in abusive activities on your website"

https://www.google.com/recaptcha/about/

V3 doesn't display anything, it sends a score which determines how legitimate the contact form response is.

Kim
  • 1
  • 1
  • "might" -- are you sure that this is true? Because it doesn't make sense. Why would Google see it as an anomaly? How does reCaptcha know that the site is intended for Canadians? The reCaptcha process is not tied to the web crawling and search processes in Google. – schroeder Oct 26 '20 at 08:03