Fixed ReCaptcha Secure Token Deprecation

Jake B.

Jake B.

Well-known member
I've gotten a ton of these emails recently, seems Google is changing how their ReCaptcha API works. The Secure Token isn't required anymore and now they're forcing domain validation. At least that's what I got out of this

Hi Webmaster,


You are receiving this email because your site is using the reCAPTCHA secure token. This feature has been deprecated and will be turned off on May 18th, 2016.


  • If you have a small number of domains, please list them in the admin console domain box.

  • If you cannot list every domain or have greater than 50 domains, you can find “Advanced Settings” in the admin console and untick the “Domain Name Validation” checkbox.
domain_name_validation.webp

After that, your current key will continue working for all of the domains you are hosting but to maintain security, you are required to check the hostname of the solution on your side.


Please let us know if you have any questions and we are glad to help.


Thank you,


reCAPTCHA Support
Click to expand...
 
The site you got this alert for, is it using the old reCAPTCHA or the new "I'm not a robot" reCAPTCHA?

EDIT: I actually can't see that we use the secure token anywhere...
 
Chris D said:
The site you got this alert for, is it using the old reCAPTCHA or the new "I'm not a robot" reCAPTCHA?

EDIT: I actually can't see that we use the secure token anywhere...
Click to expand...

Nope, it's using the 'new' No CAPTCHA one

Screen-Shot-2016-05-10-at-10.57.25-AM.webp

Is the secret key and secure token not the same thing? I'm not really familiar with NoCaptcha, but if not then I guess this can be closed :p
 
Yeah it's not the same thing.

That said, this does perhaps highlight some verification we're not actually doing so I'm going to escalate this to a bug.

It seems like we should have been doing the secure token validation but I don't think we are and alternatively we should be doing the hostname validation so we should look at adding that.
 
On closer inspection of the documentation, there's not necessarily anything we need to do here.

We do not make use of the secure token parameter. Also hostname validation happens automatically by default. However, there is an option to turn that off. Therefore as a precaution we are now also doing domain validation just to cover all bases. On that note, we'll call this fixed for the next release :)

Thanks.
 

Similar threads

SeToY
Fixed [GitHub API] Deprecation notice for authentication via URL query parameters
Replies
2
Views
2K
XF Bug Bot
XF Bug Bot
Chris D
XF 2.1 XenForo 2.1.8 and above uses jQuery 3.4.1 (deprecation warning)
Replies
9
Views
3K
Mike
Mike
K
Fixed ReCaptcha style
Replies
1
Views
2K
XF Bug Bot
XF Bug Bot
Back
Top Bottom