Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze how to bypass reCAPTCHA verification in the process of Tumblr user registration. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Hello, everyone, the writeup shared below is that the author found a defect in Tumblr's "man-machine authentication" mechanism (reCAPTCHA) during the Tumblr user registration process, which can be easily bypassed. The security risk caused by this bypass is that malicious attackers can create a large number of false social accounts and enumerate user names and mailboxes for the accounts, which indirectly lead to abnormal traffic and even leakage of user information in Tumblr applications.

My understanding and experience of loophole testing

On June 16 last year, HackerOne paid more than $80, 000 for the discovery of vulnerabilities at the hackathon held in London. Public testing of vulnerabilities is indeed a promising industry in the future. for public testing platforms, organized bounty testing activities can encourage security researchers to discover vulnerabilities and improve the quality of loopholes reported. Detailed vulnerability information can also be forwarded to manufacturers for timely repair.

Security is a complex science, and even big companies make mistakes. Enterprises often have uncertain security risks between internal resources and external attackers, and vulnerability testing can well make up for the security gaps. If your organization is unable to train or select high-quality and diversified security testers from within, then you can test and find vulnerabilities in security products or related systems with the help of external public testing projects or consulting services.

Personally, I have also encountered some bad experiences in the process of public testing. I once reported to Myspace a high-risk vulnerability to access any account, but during my lengthy negotiation with Myspace, they were so indifferent that I chose to disclose the vulnerability (click here to read). This vulnerability affects nearly 360 million user accounts, and I have no choice but to hope that it can be fixed through public pressure.

On the contrary, I found a loophole in Tumblr's reCaptcha CAPTCHA. After it was reported to them through Twitter, they communicated with me directly and privately, and the loophole was fixed after only two days. Here is my share of the vulnerability discovery process.

Tumblr's reCaptcha CAPTCHA bypass vulnerability

When I visited www.tumblr.com for user registration, I found that there was a misconfiguration vulnerability in the Google reCAPTCHA CAPTCHA service embedded in it, that is, in the reCAPTCHA CAPTCHA request sent by the client and the application, the parameter value named 'gMuthrecaptChathResponse' could be left empty. The vulnerability affects all newly registered users and does not require any special tools to exploit, simply by manually clicking the buttons that appear on the site or initiating changes through the packet grabbing agent.

Vulnerability impact

Generally speaking, if the Captcha mechanism is properly deployed, it has a rate-limiting effect (Rate Limiting), which can be used to prevent spam users from creating fake social accounts and reduce the number of requests for specific applications. The reCAPTCHA CAPTCHA of the Tumblr page I found bypasses the vulnerability and can be used by attackers to create false accounts; in addition, because Tumblr's user registration mechanism only allows registered mailboxes to bind to one user name, this vulnerability can also be used to carry out violent enumeration attacks against user mailboxes and user names. Repeated enumerations can lead to disclosure of Tumblr user registration information.

Loophole recurrence

Let's first take a look at the normal account creation process on the www.tumblr.com page. First, go to the login page https://www.tumblr.com/login and click the registration button "Sign up" in the upper right corner:

Then jump to the account registration page https://www.tumblr.com/register:

Then, after clicking the start button 'Get Started', some required options appear, including user name, password, and mailbox:

After completing the above required items, enter the age and check the terms of service:

Next, a Human Machine Authentication (reCAPTCHA) page pops up:

In addition to a "reCAPTCHA" option deployed here, there is also an option "Almost Done!" below it. Funny is, although generally speaking need to complete the "man-machine authentication" in order to proceed to the next step, but, after my test found that you can directly not check the "man-machine authentication" in the "I'm not a robot", directly click on the bottom of the "Almost Done!" to complete the so-called "man-machine authentication", directly to the next step to the user's Tumblr home page. Is this kind of "man-machine authentication" (reCAPTCHA) deployed here as a device?

Bag grab analysis

For further analysis, let's use Burp to see that users initiate specific requests and responses at the step of "human machine authentication" (reCAPTCHA).

The POST request when initiating Man-Machine Authentication is as follows:

If you take a closer look at the above POST request, you can see that the recaptcha challenge is a parameter value named 'gmurm recaptCham response', which is the scarlet letter in the figure above. But what happens if we leave this parameter empty, which is tantamount to not checking it? The POST request constructed like this is as follows:

After testing, it is found that the Tumblr server returns the same and valid response to the above two POST requests:

Of course, that is, the Tumblr server simply forgot to check the value of the 'ghands _ recaptchaure _ response' parameter, which caused the above "reCAPTCHA" mechanism to be bypassed.

Although many web applications require the user base to be highly trusted, similar authentication bypass vulnerabilities are also common on these sites. Not long ago, Google just fixed a vulnerability that can completely bypass reCAPTCHA.

After reading the above, do you have any further understanding of how to analyze reCAPTCHA authentication in the process of bypassing Tumblr user registration? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.