Simple alternative to reCaptcha to avoid Timeout-or-Duplicate error | Community
Skip to main content
pavel_plachky
pavel_plachky
Level 5
February 19, 2020
Question

Simple alternative to reCaptcha to avoid Timeout-or-Duplicate error

  • February 19, 2020
  • 1 reply
  • 4670 views

We are having performance issues with reCaptcha integration, because Marketo is not able to reliably validate a response within 2 minutes. There is a suggestion to proxy the reCaptcha results in persistent database here: https://nation.marketo.com/t5/Product-Discussions/How-to-call-reCaptcha-Webhook-in-less-than-2-minutes/m-p/294924#M166607 but the web team would prefer not to set up a persistent database.

 

Here is an idea of a simple alternative:

1. Instead of sending a reCaptcha fingerprint with the form submission, submit a custom signature that would be calculated in the browser based on email address, e.g. sha256 of email address.

2. Create a simple validation web service that would take an email address and a signature and return a JSON object like this

{
  "success": true|false,      // whether the signature matches the email address
  "response_ts": timestamp    // timestamp of the response (ISO format yyyy-MM-dd'T'HH:mm:ssZZ)
}

3. Marketo would call the validation web service using a webhook after a form was submitted and blacklist any leads for which the response returned success = false. The timestamp would be used for a Change Data Value trigger.

 

Advantages:

  • No timeout
  • Easy to integrate in website
  • Not requiring reCaptcha

Disadvantages

  • Does not prevent attacker that uses a web browser to submit spam lead(s)
  • Not bulletproof against a determined attacker - they could fake the email signature if they went through the trouble of looking at the form submission code

I think the disadvantages are manageable - the spam leads we were getting were not using a browser, but directly posting to the forms endpoint. Those leads would be easily weeded out by this mechanism.

 

Before implementing this idea, I am submitting it for a review to the community to see if I am missing something obvious. I will appreciate any feedback.

 

Pavel

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

SanfordWhiteman
SanfordWhiteman
Level 10
February 19, 2020

This is so trivially forgeable that it has nothing in common with reCAPTCHA. It's just an algorithm revealed in plain text in the browser for anyone to (ab)use.

pavel_plachky
pavel_plachkyAuthor
Level 5
February 19, 2020

Hi Sanford, appreciate the feedback. I agree it is forgeable, but not trivially. For starters, it will require somebody (a JavaScript knowledgeable human being) to spend some time and effort - a barrier most hackers that post SPAM leads to Marketo instances will not bother to overcome. The sha256 hash is just an example, a more complex algorithm could be used. Finally, the website could generate changing seeds for the signature that a hacker would not be able to forge.

 

My understanding of the spammer game is as follows: They submit to random forms on the web and monitor replies. If they find an auto-response with personalized content, they just replicate the traffic in an automated way, bypassing the browser. They do not inspect the website code - the return on such effort would not be worth it. This is the attack we are trying to block. 

Terms & ConditionsAccessibility statement

Loading footer...