Two major security vulnerabilities?

[gbutt]

Hey Clifford,

I was reviewing your implementation, and i think it has two security vulnerabilities. One of them I consider to be a major security vulnerability.

1. It stores the private key for recaptcha in javascript and passes it to Salesforce for server-side verification. This is very bad because I can easily get your private key by looking at the Network log in Chrome Dev Tools. This is a major vulnerability and that can be fixed easily by storing the private key within Salesforce and retrieving it in apex.
2. It does not enforce recaptcha verification with submission of form data. Basically it is not implemented correctly and an attacker can bypass it with ease. We had a similar attack on our systems not long ago, and we were also verifying the recaptcha in a separate callout prior to form submission. I was able to duplicate the attack in about 10 minutes, spam our case queue, and consequently send automated emails to whatever email addresses I chose, all from our company's trusted domain.

I am open to begin wrong about these two vulnerabilities, but I feel it would be irresponsible of me to not inform you. Thanks for understanding.

[clifford-fra]

Hey, thanks for the information.

I'm fully aware of these security vulnerabilities and I made the trade-off with easy "in-one-place" configuration. The main purpose of this component is to avoid random spam by bots.

The first security issue can be mitigated easly by hardcoding the private key in apex or storing the key in a Custom Metadata Type. I will update the FAQ to encourage others to use this approach.

Regarding the 2nd issue: Can you outline the issue a bit more?

[akshith0695]

Hi Clifford,

There is an issue with this reCaptcha being used inside a flow and the flow being used in a public community. The issue is that the init method in reCaptcha is called twice. So the apex class gets called twice and sometimes the response in the second call comes as false and first call comes as true. Although the reCaptcha says success on the front end it does not allow to go the next page

[sfscgjohnson]

Regarding the 2nd issue: Can you outline the issue a bit more?

I think we have been hit by the issue listed in the second issue.
Basically, as @gbutt says, because there is no server-side validation during the transaction it is vulnerable to attack.

Google ReCaptcha is on your form. You don't enable the Submit button unless they check it. This isn't enough as an attacker can post to your Submit button directly bypassing the ReCaptcha. Unless the user sends the ReCaptcha verification token it received back from Google for verification from the server-side the Attacker can do that themselves making the submit button think reCatpcha /isHuman = true. To fix it you have to make it so that during the save of your record / form values to Salesforce it is done through server-side code only.

Here are some pointers.

https://www.infallibletechie.com/2021/09/how-to-pass-parameter-from-flow-to.html and the Server Side Code foudn on this page: https://www.learnexperiencecloud.com/s/article/Implementing-reCAPTCHA-in-Community-Cloud#ServerSideValidation

[benedwards44]

In regards to vulnerability 2, we had the same issue where our pen testing was easily able to bypass the reCAPTCHA and submit to the server (eg. carry on the Flow) without a user ever validating using the reCAPTCHA component.

I've raised a PR here: https://github.com/clifford-fra/GoogleRecaptchav2/pull/6

Which addresses this.

In regards to #1, we used a Custom Setting to handle the Secret as well but have left this separate to this this.

[patmcclellan]

See this blog post that avoids the vulnerabilities, AND doesn't use an iframe. https://www.learnexperiencecloud.com/s/article/Implementing-reCAPTCHA-in-Community-Cloud

[thangeshkathiresan]

I have added the Aura component to the flow. The flow is embedded in the external website using Lightning Out. The flow is loading but this Aura component is not loading and is getting the below error. Refused to frame 'https://{org}.sandbox.my.site.com/' because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'self'".

I have added the Trusted sites, Trusted Domains, and CORS. But still getting the above error. What needs to be done to fix this error?