Recaptcha v2 – enumeration vulnerability – password recovery form

Hi,

When you try to recover a password with a non-existing user the ReCaptcha does not trigger. WordPress just says wrong username and password. So when someone tries to recover a password with a non-existing user the captcha is bypassed.

I am not really sure I understand your issue. WordPress will always say wrong username and password to a non existing wp user regardless of whether you have the reCAPTCHA feature enabled or not or you enter the wrong captcha.

Let me know if the above makes sense to you.

Kind regards

Hello there,

Thanks for the swift reply.

Doesn’t it make sense that the re-captcha should be completed first before WordPress checks if the username exists? So in steps:

1. go to recover password page
2. try a non-existing username without ticking captcha challenge
3. WordPress message ” no such username or wrong username ”

So someone can try as many usernames as he or she wants this way. Until the right one is found.

It would make more sense that the 3rd step would be a reCaptcha error message that captcha is not met. The captcha should be completed always no matter if the username exists or not.

Maybe it is totally a stupid question, but to me it kinda makes sense that ReCaptcha should always be completed without exception.

Looking forward to your reply.

• This reply was modified 4 years, 9 months ago by donmiat.

Hi, I understand what you mean. We already have measures in place for this. If you go to WP Security -> User Login -> Login Lockdown, you have a few options you can configure to prevent this issue from happening.

For example:

1) First enable Enable Login Lockdown Feature:.
2) Set the Max Login Attempts: to a value of 1.
3) Leave the Login Retry Time Period (min): to a value of 5, which is the default.
4) Set the Time Length of Lockout (min): to a value really high, for example: 2000.
5) Enable Instantly Lockout Invalid Usernames:.
6) Enable Notify By Email:.

The above steps will stop and prevent the issue you mentioned below because their IP address will be blocked out completely by out plugin. So no matter how many random names they can think off and decide to enter, it won’t happen because their IP address will be blocked after the 1st incorrect attempt as per the value entered in Step 2) above.

So someone can try as many usernames as he or she wants this way. Until the right one is found.

Also, every time you receive an e-mail about someone getting locked out, enter the username in the following field Instantly Lockout Specific Usernames: if a username is mentioned in the e-mail received.

Let me know if the above helps you.

Kind regards

• This reply was modified 4 years, 9 months ago by mbrsolution.
• This reply was modified 4 years, 9 months ago by mbrsolution.

Thank you again for the swift reply.

I already have this set up. Lockdown after 3 attempts with wrong username or password. This will stop any brute force attempt and is a really good measure. Use it on all our websites.

Unfortunately, the vulnerability scan (from client) keeps on signaling the ReCaptcha weakness.

Could you tell me if this is normal behaviour with regards to the recaptcha. I mean is it a wordpress thing that if username is non existing the recaptcha is not used. Or is it a bug from the AIOSAF plugin.

Thank you for your time.