What are the security risks when using CAPTCHAs on websites?
CAPTCHAs risks can contribute to client-side attacks
In addition to the issues associated with user frustration and disengagement, CAPTCHA technology can also contribute to client-side website attacks. CAPTCHA plugins can be easily obtained through WordPress libraries or depositories like GitHub, and unfortunately, like any code, these plugins will contain vulnerabilities, particularly if the code comes from a third- or fourth-party source. A recent search of the MITRE CVE database found at least 10 vulnerabilities related to reCAPTCHA and 85 vulnerabilities related to CAPTCHA . Exploitable issues included cross-site scripting (XSS), cross-site request forgery, SQL injection, brute-force protection bypass, and arbitrary web scripts execution.
CAPTCHA & cross-site scripting (XSS)
One of the most common threats found among the CAPTCHA vulnerabilities listed on the MITRE CVE database is cross-site scripting, which involves injecting malicious code directly into websites, to give attackers access to data on an end user’s browser, such as cookies, session tokens, and sensitive identity information. One of the easiest ways to inject malicious code is through existing vulnerabilities—like those contained in CAPTCHA plugins.
Protection from client-side vulnerabilities
Security practitioners increasingly recommend that organizations move to CAPTCHA alternatives, such as honeypots. If an organization has no choice but to use CAPTCHA technology on a website, then security tools that continuously monitor, inspect, and scan websites should be employed to help minimize attack risk.
