Hello Shopify Team,
We have received a Improper captcha implementation vulnerability notification from our external source(BugCrowd) on www.ontechsmartservices.com which needs to be addressed at earliest to close this issue.
Vulnerability Title: Captcha Implementation Vulnerability
Description:
The captcha token, when removed from the request and sent to the server, is still accepted by the application. As a result, users can bypass captcha validation and gain access to the dashboard without passing the required captcha challenge.
Steps to Reproduce:
Go to www.ontechsmartservices.com
Click on "Create Account" and enter the required details.
Capture the request in Burp Suite and remove the captcha token from the request.
Intercept the response and observe that the captcha is not being validated, allowing the user to access the dashboard.
Impact:
This improper captcha implementation can lead to rate-limiting attacks, such as brute-forcing the login page. In the worst case, it could lead to account takeover, compromising user accounts and data.
Remediation:
Introduce a proper server-side check for the CAPTCHA.
Make sure that the user input matches the CAPTCHA.
Make sure that the CAPTCHA is difficult to solve by computers.
References:
https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration
http://projects.webappsec.org/w/page/13246959/Server%20Misconfiguration
https://cwe.mitre.org/data/definitions/804
https://cwe.mitre.org/data/definitions/16
