reCaptcha stopped working on my Account Registration page form

Using Opencart 3.0.3.2, and using the built in Google Captcha extension.
With version 2 checkbox type captcha.

For some reason, on the form on the account registration page the captcha appears, but it allows form submission even when the captcha is NOT checked.
So I am getting a ton of spam.

I have other forms on my site (from a thrid party extension) that also used the captcha and they work properly.

Is there some known bug with using a captcha on registration page? Or can anyone suggest a way to debug this, or some fix to try?

My host support suggested I switch to Captcha 3.0 version, but I am not sure this version of Opencart supports that?

The Google reCaptcha module only has to be passed once per session. If you clear your cookies does that stop the form being submitted?

Yes, that may have happened, because it started working again for me. When I do a test on my computer.

But, the real problem I have is I am getting 30+ spam registrations per hour.

My web host can't figure out how the spam bots are beating the CAPTCHA (google v. 3 with I am not a robot checkbox

You can install
https://www.opencart.com/index.php?rout ... earch=csrf

And you can install this one
https://www.opencart.com/index.php?rout ... n_id=37085

Or you can use the SpamBot Buster, which is much more effective against fake account registrations from spambots.

Could be that they are passing it once and saving the session, have a way to bypass Google reCaptcha or are using some other entry point to register (a look in the web access logs might tell you).

You can change the Google reCaptcha so it needs to be passed every time.

In catalog/controller/extension/captcha/google.php.

Try adding. Just before.

It looks i had already edited that code, and set it to go to false each time for the session

I did also go to the Captcha settings on Google's site and there was a setting were I could make the captcha more secure, so I put it to max. Not really sure what it did?

On weird thing. The settings say I have captcha v 2 invisible type , but on my website it is always showing the checkbox captcha (I'm not a robot).

You shouldn't use the "invisible" v2 keys with OpenCart. Try creating new "normal" v2 keys and put those into OpenCart. I'm not sure if that was the issue, but it might help.

I tired making new captcha keys to use the v2 checkbox version, but the spam is still getting through.

For example, yesterday the captcha failed 800 attempts, but let 600 pass. After change to captcha, about 15 spam registrations are getting through every hour.

I think I will try to upgrade to V 3 captcha using Clear Thinking's extension.

I like how Version 3 captcha lets you set the score threshold with that version.

OK, let me know if you have any questions or issues with it. You can contact me here for support:

www.getclearthinking.com/contact

My guess is this individual is not alone in this problem. The default google reCaptcha "I am not a robot" check box version has been working very well for a very long time on an OC 3.x installation - as in ZERO bot account registrations for many months at a time, but just recently has been failing miserably. I am getting about 300 bot account registrations a day now, mostly from Russia. If we could take a poll of every OpenCart 3.x user having this problem I think it would be huge number of installations that are being impacted.

It seems like the hackers have figured out a way around it to me. If a fix from Google and / or OpenCart isn't found soon, I will probably have try the Clear Thinking extension that was mentioned by the OP as I have had very good results from their Export / Import orders extension.

To be honest the security is always concern no matter what ever platform a user uses. For my personal advice I would recommend using V3 invisible version along with some CSRF protection. It would be better to enable some firewall on your server if you are using on dedicated server for example CSF etc. Or put your site behind some kind of Firewall service like Cloudflare perhaps. Also if possible use cPhulk to whitelist countries who can access your website.

I think ArtGallery may be right. I've had a number of reports from recaptcha v2 users, and with one store the captcha appears to be functioning properly, but it's still getting bot registrations. After looking at the site, I don't see how the registrations are happening unless the captcha is being broken.

v3 seems to be working better, but depending on your thresholds, it may still fall back to the v2 recaptcha. I'll see about adding a honeypot field to my Account Registration Captcha and Google reCAPTCHA v3 extensions this week, which should help.