A Hidden Backdoor: Bypassing reCAPTCHA on the Sign-up Page
1 min read
Summary
A security researcher has discovered a way to bypass reCAPTCHA during the registration process on Target’s web application.
The vulnerability lies in the GraphQL endpoint that handles registrations, allowing attackers to create spam accounts.
The normal reCAPTCHA token, which is normally validated by the server to ensure a human is creating the account, can be bypassed using Egor Homakov’s method.
This allows malicious actors to create spam accounts, impacting the application’s reputation and putting users at risk of phishing attacks and scams.
The issue lies in the reCAPTCHA implementation and not the GraphQL language itself, which is highly secure otherwise.
As of yet, there is no evidence that the vulnerability has been exploited.