Page MenuHomePhabricator

Sign up Captcha is not working on Cloud Wikibases using a custom domain
Closed, ResolvedPublicBUG REPORT

Description

Steps to replicate the issue (include links if applicable):

To verify it's an issue with every custom domain Wikibase, error occurs here too: https://lexbib.elex.is/wiki/Special:RequestAccount

What happens?:
Captcha cannot be passed, therefore people are unable to sign up on the Wikibase.

What should have happened instead?:
Captcha should be displayed as normal, allowing the verification for people to sign up on the Wikibase, regardless of custom domain or not.

Other information (browser name/version, screenshots, etc.):

Screen Shot 2022-11-19 at 11.19.08 PM.png (292×658 px, 51 KB)

Event Timeline

I think I found the reason this doesn't work while looking at the Recaptcha Admin console by Google.

For every captcha configuration there is this setting called Verify the origin of reCAPTCHA solutions

Description:

If disabled, you are required to check the hostname on your server when verifying a solution.

If we would uncheck that setting, I think it would work again BUT would also be a security risk because then the captcha key can be used anywhere, not only on our sites: https://developers.google.com/recaptcha/docs/domain_validation#security_warning

So I think we can:

  • look at how mediawiki is validating the request and add hostname verification "somehow",
  • or be okay with that security risk. (at this point I'm not sure I understand the impact enough, could be rather insignificant but it seems somewhat important to Google)

I found this answer on stack exchange about why domain validation is a major security issue for recaptcha. https://security.stackexchange.com/questions/149324/why-bother-validating-the-hostname-for-a-google-recaptcha-response

It may have something to do with people embedding your captchas on a site they set up, and using the solved captchas to spam your site.

so we probably want to go with the first bullet point Deniz made in his comment.

@Addshore mentioned that on WBStack this box was already ticked (i.e. domain validation was disabled)

We probably could therefore in the short term also click this; this does expose us to slightly more risk of spam as per the links.

In the medium to long term we would probably like to properly resolve this. We could do this either by implementing checking the host in all the places we use recaptcha or we could automatically create (or update) the existing recaptcha details to add all the custom domain wikis that we have.

We also could certainly generate a new pair just for use by the custom domains rather than the wikibase.cloud ones. This would reduce the exposure of flipping this switch.

After talking with other devs we went with the 2nd bullet point (changed the recaptcha setting to not validate domains.) We changed the setting on both staging and production.

Evelien_WMDE claimed this task.