Problem: captcha doesn't prevent guess for login/pass.
When I pressed Enter by mistake right after I typed my login. I was surprised when I got both messages "Captcha check failed" and "Invalid login/pass".
After providing correct credential I saw only "Captcha check failed"
I have :
1. Drupal 7.59
2. captcha module 7.x-1.5
3. recaptcha module. 7.x-2.2
Comment | File | Size | Author |
---|---|---|---|
wrong-password.png | 27.15 KB | TheLion | |
correct-password.png | 25.75 KB | TheLion |
Comments
Comment #2
elachlan CreditAttribution: elachlan commentedComment #3
DrlF CreditAttribution: DrlF commentedThis can be fixed by altering CAPTCHA enabled forms
Comment #4
AnybodyI guess this is the related issue for the Drupal 8 version: #3202776: [PP-1][2.x] Do not execute other form validations if CAPTCHA is wrong
Would still make sense to fix this, if anyone is interested to provide a fix. So CAPTCHA doesn't introduce a security risk here, I guess, but doesn't require a valid response to check if the password is correct?
Still #3 looks super dirty to me ;)