Captcha Bypass due to invalidation of previous tokens in answerdev/answer


Reported on

Feb 22nd 2023


An attacker can create bypass the captcha mechanism and create multiple accounts directly

Proof of Concept

1: Sign up with a new name in the application, fill the captcha and intercept the request of the submit.

The request will look something like this

POST /answer/api/v1/user/register/email HTTP/1.1
Host: localhost:9080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: en_US
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 123
Origin: http://localhost:9080
Connection: close
Referer: http://localhost:9080/users/register


2: Forward the same request over the repeater and simply change the email id to a new email. Although the previous captcha token is present, it will still be accepted and will create a new user directly.

You can try performing the same over burp intruder to automate the entire part by adding an insertion point in any section of the email id with corresponding payloads and start the attack, all responses will arrive with the status of 200 OK whichever contains a new email



Circumventing anti-automation mechanisms deployed by the captcha and perform automation.

We are processing your report and will contact the answerdev/answer team within 24 hours. 3 months ago
We have contacted a member of the answerdev/answer team and are waiting to hear back 3 months ago
joyqi validated this vulnerability 2 months ago
Hex9991 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
joyqi marked this as fixed in 1.0.6 with commit 813ad0 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
joyqi published this vulnerability 2 months ago
to join this conversation