Jump to content

Recapture V2 Issues


ianc

Recommended Posts

I had an issue with recapture v2 allowing someone to hack in and send spam from my server... I've now loaded "basix" skin which is compatible with "Recapture invisible" and after some trouble got this all installed.

I'll report back if this seems to cure the original problem.

But... can anyone recommend a skin that is closer in style to koyoto.

 

Edited by ianc
error
Link to comment
Share on other sites

After loading the basix skin and updating Recapture to the  "invisible" version, I am still seeing spam emails sent out from the cubecart shop.

see attached screen shot of the cubecart email log.  tests we made have personal details blurred.

The request log shows an entry in the following format with the Recapture keys being removed.

Today, 06:59
Request Sent (cURL) - https://www.google.com/recaptcha/api/siteverify?secret=( key code  removed here ) &response=( long ramdom number removed here ) &remoteip=109.107.184.211 Response received (200 - OK) { "success": true, "challenge_ts": "2022-11-03T06:58:42Z", "hostname": "towersecurity.co.uk" }

This must be a serious issue for Cubecart and it's users.. please can anyone help.

Many thnaks

email log.jpg

Link to comment
Share on other sites

Just to confirm, did you fetch from Google a set of Site and Secret keys specific to towersecurity.co.uk? I would think so as that domain is in the response from the request.

Only the Contact Us page sends an email to the admin using only Plain Text.

And I see the Contact Us page is getting hit several times a day, spaced hours apart, with several of those attempts failing to send.

I am no expert on Google's "ReCaptcha", so it wouldn't surprise me to see a well-behaved, technically competent spammer "fooling" Google so that it responds that all is well.

 

Link to comment
Share on other sites

Yes, recapture seems to be set up ok, given the recapture logo popping out in the bottom right corner.
I don't know how it works as there doesn't seem to be a way to show youre human.. like a checkbox, type text, select pictures, etc.

The spams with an X beside them are being rejected by the host server.. presumably because of the offensive content.. it still let some of them through.

I left a message on CC's technical support page.. It seems a serious bug to me, I hope they think the same.

I'd message google too, but i don't see how I can.

Link to comment
Share on other sites

It looks like someone is going into the public "contact us" form and manually entering a message.
this sends a message to us, and also to the email address typed into the contact form.

google's explanation of how recapture works:
reCAPTCHA v2 (Invisible reCAPTCHA badge)
The invisible reCAPTCHA badge does not require the user to click on a checkbox, instead it is invoked directly when the user clicks on an existing button on your site or can be invoked via a JavaScript API call. The integration requires a JavaScript callback when reCAPTCHA verification is complete. By default only the most suspicious traffic will be prompted to solve a captcha. **To alter this behavior edit your site security preference under advanced settings**.

Presumably the recapture thinks clicking on the contact button proves they're human so doesn't stop anything....

this doesn't seem secure to me but maybe it's considered a minor incovenience :(

 

Link to comment
Share on other sites

Cubecart tecnical support reply:

 

3 Nov 2022, 10:31 GMT
Hi Ian,

I'm sorry you are having troubles. We have no better spam prevention tool at this time but it is well known that the Google reCaptcha tools can be bypassed (a quick google search will show this). Saying this on the whole they do still offer a good level of protection compared to having it off completely and most merchants using these tools still find them to be useful.

I can't provide on demand support without a support plan I'm afraid to look deeper into your specific case.

A more robust solution would be a good addition to CubeCart. I expect you will fid that it tails off on it's own after a while.

Kind Regards,

Also from CC Tech:

3 Nov 2022, 13:49 GMT
It's an industry wide problem sadly. The bots seem to get ahead faster than the solution.
Kind Regards

 

Edited by ianc
A bit more info
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...