Shifting from reCAPTCHA to hCaptcha

We are adding another CAPTCHA vendor and helping our customers migrate from Google's reCAPTCHA to hCaptcha.
We continuously evaluate our security measures to ensure they align with the evolving landscape of threats.
After carefully evaluating several different CAPTCHA providers, including rigorous testing by our threat research team, hCaptcha surfaced as a leading solution that we would like to use.
Our decision to switch to hCaptcha is driven by several factors.
First, we wanted to ensure we use the most updated CAPTCHA service.
We use reCAPTCHA Version 2, but because reCAPTCHA Version 3 isn't GDPR compliant, we cannot use it.
As a cybersecurity company, we prioritize compliance with global regulations to ensure the utmost security for our users.
hCaptcha doesn't rely on personal user data or historical interactions for its functionality, which aligns with our commitment to respecting user privacy.
This transition to hCaptcha addresses the market's concerns about reCAPTCHA allowing two domains to access the same cookie data set to enable ad targeting.
hCaptcha is also globally available, including in China, a region not supported by Google.
By moving to hCaptcha, we aim to streamline our processes and provide more efficient service to our users.
Some use cases of these automated attacks include Distributed Denial of Service, brute force login attacks, web scraping, and more.
CAPTCHAs are a type of challenge that does require some human intervention.
While we strive to only present a CAPTCHA as a last measure in a varied set of transparent challenges, we provide our customers with complete control over how they would like to manage their security measures.
This means customers can still choose to issue a CAPTCHA challenge as a security rule.
As automated traffic becomes increasingly sophisticated, Imperva Advanced Bot Protection adds even more transparent challenges as part of its multi-layered detection approach.
These significantly reduce the need to serve a CAPTCHA. In fact, on average, with Advanced Bot Protection, legitimate users will not be served a CAPTCHA on 99.999% of requests, ensuring a frictionless online experience without compromising security.
While CAPTCHAs still play a vital role in cybersecurity, we recognize they aren't perfect.
We are committed to minimizing and, hopefully, eliminating the number of CAPTCHAs we issue altogether.
Our transition to hCaptcha is a significant step in this direction.


This Cyber News was published on www.imperva.com. Publication date: Thu, 21 Dec 2023 17:43:04 +0000


Cyber News related to Shifting from reCAPTCHA to hCaptcha

Shifting from reCAPTCHA to hCaptcha - We are adding another CAPTCHA vendor and helping our customers migrate from Google's reCAPTCHA to hCaptcha. We continuously evaluate our security measures to ensure they align with the evolving landscape of threats. After carefully evaluating several ...
1 year ago Imperva.com
DevSecOps: Shifting Security to the Left - This blog explains how Shifting Security to the Left introduces security in the early stages of the DevOps Lifecycle, thus fixing software bugs proactively. Throughout this process, it feels like security has been left behind a little. 'Shifting ...
1 year ago Feeds.dzone.com
Companies Must Strengthen Cyber Defense in Face of Shifting Threat Actor Strategies - Critical for organizations to understand attackers' tactics, techniques, and procedures. The 2023 mid-year cyber threat report card portends an ominous outlook with staggering data including the fact that 332 million cryptojacking attacks were ...
1 year ago Cyberdefensemagazine.com
Embracing Security as Code - Everything is smooth until it isn't because we traditionally tend to handle the security stuff at the end of the development lifecycle, which adds cost and time to fix those discovered security issues and causes delays. Over the years, software ...
11 months ago Feeds.dzone.com
CVE-2023-41100 - An issue was discovered in the hcaptcha (aka hCaptcha for EXT:form) extension before 2.1.2 for TYPO3. It fails to check that the required captcha field is submitted in the form data. allowing a remote user to bypass the CAPTCHA check. ...
1 year ago
CVE-2024-4014 - The hCaptcha for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cf7-hcaptcha shortcode in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping on user ...
7 months ago
Three hard truths hindering cloud-native detection and response - Help Net Security - Given the interconnectedness of cloud environments and the accelerated pace at which cloud attacks unfold, if SOC teams can’t see everything in one place, they’ll never be able to connect the dots in time to respond. Within these trusted ...
2 months ago Helpnetsecurity.com
CVE-2015-6830 - libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a ...
8 years ago
CVE-2011-0759 - Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration page in the Recaptcha (aka WP-reCAPTCHA) plugin 2.9.8.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that disable the ...
7 years ago
CVE-2023-6959 - The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the recaptcha_api_key_manage function in all versions up to, and including, 2.0.3. This makes it possible for ...
10 months ago Tenable.com
CVE-2024-1288 - The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saswp_reviews_form_render' function in all versions up to, and including, 1.26. This makes it ...
9 months ago Tenable.com
CVE-2024-34009 - Insufficient checks whether ReCAPTCHA was enabled made it possible to bypass the checks on the login page. This did not affect other pages where ReCAPTCHA is utilized. ...
6 months ago
CVE-2024-5541 - The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ibtana_visual_editor_register_ajax_json_endpont' function in all versions up to, and ...
5 months ago
CVE-2023-32599 - Missing Authorization vulnerability in Bill Minozzi reCAPTCHA for all allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects reCAPTCHA for all: from n/a through 1.22. ...
1 week ago Tenable.com
Star Blizzard increases sophistication and evasion in ongoing attacks - Microsoft Threat Intelligence continues to track and disrupt malicious activity attributed to a Russian state-sponsored actor we track as Star Blizzard. Star Blizzard has improved their detection evasion capabilities since 2022 while remaining ...
1 year ago Microsoft.com
The Russians are coming! Err, they've already infiltrated The Register - Russia-backed attackers have named new targets for their ongoing phishing campaigns, with defense-industrial firms and energy facilities now in their sights, according to agencies of the Five Eyes alliance. In a joint security alert issued on ...
1 year ago Go.theregister.com
CVE-2021-39362 - An XSS issue was discovered in ReCaptcha Solver 5.7. A response from Anti-Captcha.com, RuCaptcha.com, 2captcha.com, DEATHbyCAPTCHA.com, ImageTyperz.com, or BestCaptchaSolver.com in setCaptchaCode() is inserted into the DOM as HTML, resulting in full ...
3 years ago
CVE-2015-0890 - The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. ...
9 years ago
CVE-2017-2171 - Cross-site scripting vulnerability in Captcha prior to version 4.3.0, Car Rental prior to version 1.0.5, Contact Form Multi prior to version 1.2.1, Contact Form prior to version 4.0.6, Contact Form to DB prior to version 1.5.7, Custom Admin Page ...
7 years ago
CVE-2021-24189 - Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Captchinoo, Google recaptcha for admin login page WordPress plugin before 2.4, to install any plugin (including a specific version) from the ...
3 years ago
CVE-2022-1442 - The Metform WordPress plugin is vulnerable to sensitive information disclosure due to improper access control in the ~/core/forms/action.php file which can be exploited by an unauthenticated attacker to view all API keys and secrets of integrated ...
1 year ago
CVE-2022-2913 - The Login No Captcha reCAPTCHA WordPress plugin before 1.7 doesn't check the proper IP address allowing attackers to spoof IP addresses on the allow list and bypass the need for captcha on the login screen. ...
2 years ago
CVE-2022-3831 - The reCAPTCHA WordPress plugin through 1.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed ...
2 years ago
CVE-2018-21012 - The cf7-invisible-recaptcha plugin before 1.3.2 for WordPress has XSS. ...
1 year ago
CVE-2023-0085 - The Metform Elementor Contact Form Builder plugin for WordPress is vulnerable to reCaptcha Bypass in versions up to, and including, 3.2.1. This is due to insufficient server side checking on the captcha value submitted during a form submission. This ...
1 year ago

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)