reCAPTCHA即使对于两个不正确的单词也可以验证为有效 [英] reCAPTCHA authenticates as valid even for two incorrect words
问题描述
仅出于提问的背景,我正在为运行的网站使用 Vanilla论坛。 Vanilla论坛附带了对使用reCAPTCHA来认证网站上新注册的身份的支持,该功能已启用。但是,最近在我的论坛上,我看到垃圾邮件注册激增(明显的垃圾邮件用户名,使用的电子邮件地址相同,等等)。
Just to give a background for my question, I am using Vanilla Forums for a website I run. Vanilla Forums comes with baked-in support for using reCAPTCHA to authenticate new registrations on the website, which I have enabled. Recently on my forum, however, I have seen a spike in spam registrations (obvious 'spammy' usernames, same email address used, et al.)
尝试查看垃圾邮件通过reCAPTCHA验证的方式。我知道,在reCAPTCHA中,其中一个词已为系统所知,另一个则为,因此即使有一个不正确的表单提交也有可能通过验证输入了单词。
I looked into this to try to see how spambots could be getting past the reCAPTCHA verification. I know that in reCAPTCHA, one of the words is known by the system and the other isn't, so it is possible that a form submit might validate even if one incorrect word is entered.
因此,我通过输入无效的reCAPTCHA输入,尝试了我网站上注册表中的一些内容。我发现...
So I tried out a couple of things on the registration form on my site, by entering invalid reCAPTCHA inputs. I found that...
- 如果每个单词输入的字符数正确
- 为两个单词输入的答案都正确输入,除了一个字符
...不会引发reCAPTCHA错误。
...no reCAPTCHA error is thrown.
我也不认为这个问题与Vanilla论坛无关。当您进入 reCAPTCHA的演示页面时,请尝试一下。输入两个单词,正确的字符数,但单词本身由一个字符隔开-具有相似外观的字符(例如,用 a代替 d,用 v代替 w。)
I don't think this issue is isolated to Vanilla Forum either. When you go the the demo page for reCAPTCHA, try this yourself. Enter two words, correct number of characters, but the words themselves off by one character - with 'similar' looking characters (like, an 'a' instead of a 'd', 'v' instead of 'w'.)
Vanilla的reCAPTCHA实施是否存在问题,还是reCAPTCHA本身的已知问题? (您可以在此处测试Vanilla的注册表格。)
Is there something wrong with Vanilla's implementation of reCAPTCHA or is this a known issue with reCAPTCHA itself? (You can test Vanilla's registration form here.)
可能相关: reCaptcha已被破解/被黑/ OCR被打败/被打败/损坏?
推荐答案
在验证字上,reCAPTCHA
有意允许 off by by
错误,具体取决于我们对
的信任程度提供解决方案的用户。
可以增加用户体验,而不会影响安全性。 reCAPTCHA
工程师监视
的此功能是否受到滥用。
On the verification word, reCAPTCHA intentionally allows an "off by one" error depending on how much we trust the user giving the solution. This increases the user experience without impacting security. reCAPTCHA engineers monitor this functionality for abuse.
这篇关于reCAPTCHA即使对于两个不正确的单词也可以验证为有效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
