emergency reCAPTCHA deactivate link enables coordinated brute force attacks

Hi @pakkriss,

You are wrong, attackers don’t see deactivation link.

https://domain.tld/wp-login.php?action=sgr_disable works somehow very well.

We recognize this, and maybe another issues since web pages logins “lose” regular reCaptacha and site/secret keys.

I just tested this link for login and it works well. No reCaptacha on this site, and site and secret keys are gone.

Please advise.

Try to open login page in anonymous window or different browser than you usually use and you will see that you will not be able to use that deactivation link.

This is a kind of security mechanism and I don’t want to describe it more. Mentioned keys are removed when emergency deactivation link is used by authorized user and without those keys, reCAPTCHA protection is disabled.

Thanks for feedback.

Can you describe a potential way to disable the emergency deactivation completely?

There’s no need for anything to remove the keys on undocumented triggers.

Just to get safety back. Or let me know to which version we can roll back.

If needed we can always disable the plugin on file system level.

Please advise.

Thank you!

Hi, can confirm that my keys have been disappearing as well. Suddenly receiving a lot of spam.

Version 3.5 is without this feature. Emergency deactivation link is a secure method. Unfortunately I’m not able to simulate what you described – everything works good.

Interesting. I commented out the disableProtection() function, but my keys just got wiped again and spam started to come in. Any idea what else could be causing the keys to vanish?

Hello.

I’m having the exact same problem for the past few days. Would anyone explain how the keys are disappearing from the plugin settings if only I, the site administrator, have access to this?

Hi @fabinhoalmeida and others,

Big apologize! I found a weak point in new keys saving process, fixed now – version 3.7.

Thank’s all!

Hello Minor,

Thank you for the quick solution.

Congratulations on the great plugin and the great work.

Thank you!

Actually it wasn’t quick at all. I started with analysing few days ago. Today resolved, finally! ??

I continue with this problem. I already removed and installed the plugin again, and nothing! help

Hello @minor,
I’ve got the same issue,, I test my login/registration/lostpassword forms in an other web browser where I deleted all my historial/ cookie but when I click on My form “create account”, I can see and use the link to remove the captcha as I want.

PS: These forms are BuddyBoss forms

• This reply was modified 3 years, 12 months ago by liljul.

I did a simple Google search: “What is ‘Emergency ReCAPTCHA deactivate?” It’s an additional ReCAPTCHA box with a red text link underneath it, which reads “Emergency ReCAPTCHA deactivate,” appearing below the one already there. And what do I get from that simple Google search query? I get all this gibberish that makes no attempt at answering the question. How could it be I fall into a trap like this? A total waste of my time? Is it the result of incorrect tagging of content on this site? You would think a simple question would elicit a simple answer, right? Whatever happened to the KISS principle, guys? Well, it so happens, when I click the “Emergency ReCAPTCHA deactivate” link, that second ReCATCHA dialog box that had popped up below the first one, disappeared. I’m trying to figure out what that was all about.

Today we got a brute force attack despite Simple Google reCAPTCHA 3.8. New to us is that it was able to login as new user and change the password.

Before installing reCAPTCHA, brute force attacks were able to register new users only. But they were not able to read the registration password sent by Woocommerce and change it.