Announcement

Collapse
No announcement yet.

Someone is creating new fake customers accounts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Mike521w I just stumbled upon this thread and was thinking I could try to use your module to help protect our cart from protecting our site fraudulent bot "carding" by trying to prevent them from even adding something to the cart.

    Already have reCaptcha v3 set up and installed your module using ADPR in the action list and 0.3 as the tolerance level.

    On the PROD page I added this inside the add to cart form:

    Code:
    <input type="hidden" name="GoogleReCaptchaResponse" value="">
    And this directly after the form element:

    Code:
    [script src="https://www.google.com/recaptcha/api.js?render=our_site_key"][/script]
    [script]
    grecaptcha.ready(function() {
    grecaptcha.execute('our_site_key', {action: 'Add2Cart'}).then(function(token) {
    jQuery("#js-purchase-product input[name='GoogleReCaptchaResponse']").val(token);
    });
    });
    [/script]
    It works great as long as the customer adds a product to the cart before the token expires which I believe is 2 minutes.

    I would assume a fix for that would be to run the recaptcha function with on submit or on click.

    But it gets tricky (for me at least). Since this form uses an ajax add to cart function I also need it to run the recaptcha function again so a new token is given on the next attempt to add the same product to the cart again.

    I can send the ajax code privately since it will not let me post here.

    Any help would be greatly appreciated.

    Not opposed to hiring someone to help with this either.
    Nick Harkins
    www.loveisarose.com
    *Web Developer
    *Miva
    *Google Analytics, Search Console, Tag Manager, Merchant Center, Ads

    Comment


      Hi @sidFeyDesigns, sorry for the delayed response, it's been a while since I logged in.

      Your setup sounds good to me. I agree, if your customer looks at the product page for a while before adding to cart, then the token will expire. The solution would be to run the `grecaptcha.execute()` on form submit.

      This should still work even if you're using ajax to submit the form, and the customer might re-submit the same form later. For example maybe something like:

      Code:
      [script]
      let handleButtonClick = event => {
          event.preventDefault();
          grecaptcha.execute('our_site_key', {action: 'Add2Cart'}).then(function(token) {
              jQuery("#js-purchase-product input[name='GoogleReCaptchaResponse']").val(token);
      
              //proceed with add to cart ajax here, maybe something like:
              jQuery.ajax( jQuery("#js-purchase-product").attr("action"), jQuery("#js-purchase-product").serialize(), response=>{
                  //do something with the response
              });
          });
      };
      [/script]
      <button type="submit" onClick="handleButtonClick">Submit</button>
      I just wrote this off the top of my head, syntax etc may be wrong and I'm not sure about the setup for jQuery.ajax, I could have things reversed. But anyway that's a general idea
      Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

      Comment


        Hi @Mike521w! Thank you for creating this module, I have been trying to get reCaptcha set up on my forms for a while now and this is the closest I've come.

        I only dabble in development, but I'm trying to implement this on my ICSQ form on my LOGN page and I'm not getting it to work.

        I have my API keys, set to reCaptcha v3. My form has the ID="ICSQ". Here is my code:

        [script src="https://www.google.com/recaptcha/api.js?render=ABCDEFG"][/script]
        [script type="text/javascript"]
        function onClick(e) {
        e.preventDefault();
        grecaptcha.ready(function() {
        grecaptcha.execute('ABCDEFG', {action: 'homepage'}).then(function(token) {
        jQuery("#ICSQ input[name='GoogleReCaptchaResponse']").val(token);
        });
        });
        }
        [/script]
        and in my form:
        [input name="GoogleReCaptchaResponse" value="" type="hidden" required aria-required="true"]
        And then in the module I have it set to monitor ICSQ, and have played with lots of tolerances but I can't get it to let me pass through the form without a 403 no matter if I set to the tolerance as low as 0 or 0.01. I get a 403 no matter what.

        I was also able to view the module code and can see where it sets the return page to 403 - I was thinking I'd like to set this to my 404 page instead. Is that a bad idea? Any assistance would be appreciate!

        Thank you,
        Sami

        Comment


          Hi,

          Posting this for anyone else that is struggling with bots and fake form submissions. I have been using a random math equation for years and obviously they figured out a way around it. The number of submissions was getting to be a lot of work for us to sort through all day. All I did was remove the + sign in the form that is in html, replaced it with an image of a plus sign. Named it "minus.gif" and changed the alt to alt="-". That worked for me and instead of 20+ submissions an hour we have not received one fake submission.

          Hope that helps anyone looking for something quick and simple.

          Mike

          Comment


            Sorry to bubble this one to the top again. I am getting a ton of fake creations on a daily basis.

            Mike521w and others,
            Does anyone know if the module is still working? When I enable it, every request is shuffled to the 403 page.

            Possibly I am doing something wrong with my utilization? I have added the MVC and it appears in System Extensions. I set the site and secret keys. For now, I set watched page to LOGN at .3.
            On the LOGN page, I put the JS with the site key embedded, towards the end, but still within the </HTML> tag. In the login form, I put the hidden GoogleReCaptchaResponse line, right under the hidden Action LOGN line.
            It is probably important to add that on the reCAPTCHA admin console, I am not seeing any hits when I try to login.

            Tom

            Comment


              Hi sami and RaguTom . Sorry for the delayed response, I often go many weeks without remembering to check the forums. I just checked one of the sites I manage, I thought the module was running fine all this time, but turns out it was set to just proceed even if the visitor failed validation. Once I set it to exit (trigger the 403) it did that for me even though I'm obviously not a bot.

              I'll tinker with it tonight and tomorrow, looks like I need an update of some kind but I'm not sure what/where/why
              Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

              Comment


                scratch that, I'd just made a mistake with my form. It seems to still be working fine for me..

                sami so this is a year late, but your code looks good to me in general.. I see you're calling google when the user clicks the submit button, instead of on form submit.. I wonder if the form might somehow be getting submitted anyway, before the call to google completes?

                RaguTom I'm not sure exactly where the problem might be there. If you want to share some source code I could get a better idea - you can PM me if you prefer not to share here
                Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                Comment


                  Mike521w

                  First, thank you for the response and investigation. This is pretty generic Miva code, so I have posted it here. If we can find out what I did wrong, it may help others too. I have removed the keys. Bolded lines are added to the original LOGN page.

                  LOGN Page:

                  Code:
                  <form method="post" action="&mvte:url;">
                  <fieldset>
                  <legend>&mvt:page:name;</legend>
                  <input type="hidden" name="Action" value="LOGN" />
                  <input type="hidden" name="GoogleReCaptchaResponse" value="" />
                  <div class="c-form-list">
                  <div class="c-form-list__item">
                  <label class="c-form-label u-font-tiny u-text-bold u-text-uppercase is-required &mvt:global:invalid_credentials;" for="Customer_LoginEmail_LOGN">Account Email Address</label>
                  <input id="Customer_LoginEmail_LOGN" class="c-form-input c-form-input--large" type="text" inputmode="email" name="Customer_LoginEmail" value="&mvte:global:Customer_LoginEmail;" autocomplete="email" required aria-required="true">
                  </div>
                  <div class="c-form-list__item">
                  <label class="c-form-label u-font-tiny u-text-bold u-text-uppercase is-required &mvt:global:invalid_credentials;" for="Customer_Password">Password:</label>
                  <mvt:if expr="g.Customer_Temporary_Password">
                  <input type="hidden" name="Customer_Temporary_Password" value="&mvte:global:Customer_Temporary_Password;" autocomplete="off">
                  <input type="hidden" name="Customer_Password" value="&mvte:global:Customer_Temporary_Password;" autocomplete="off">
                  <input id="Customer_Password" class="c-form-input c-form-input--large" type="text" value="&mvte:global:Customer_Temporary_Password;" autocomplete="off" disabled readonly>
                  <mvt:else>
                  <input id="Customer_Password" class="c-form-input c-form-input--large" type="password" name="Customer_Password" autocomplete="current-password" required aria-required="true">
                  </mvt:if>
                  </div>
                  <div class="c-form-list__item u-text-right">
                  <mvt:item name="buttons" param="Login" />
                  </div>
                  </div>
                  </fieldset>
                  </form>
                  LOGN Javascript at the end of the body:
                  (The obvious typos below are intentional. Typ should have an 'e' and js should be script. The forums attempt to execute scripts or prevent JS from being posted)
                  Code:
                  <js src="https://www.google.com/recaptcha/api.js?render=*SITEKEY*"> </js>
                  <js typ="text/javascript">
                  grecaptcha.ready(function() {
                  grecaptcha.execute( "*SITEKEY*", {action: 'AccountLogin'}).then(function(token) {
                  jQuery("#LoginForm input[name='GoogleReCaptchaResponse']").val( token );
                  });
                  });
                  </js>
                  Module is set up with the correct keys and monitoring page is set up as LOGN at 0.3 threshold. I have to keep the monitoring page box blank currently until I am ready to test. Once I put LOGN in there, it sends everything to 403. As a side question, lets say that the Google recaptcha server is down, will this module force my logins to a 403 or will it just bypass the captcha with no response?

                  Thanks!!!!
                  Tom

                  Comment


                    Hi RaguTom , no problem at all, I'm glad to help, and hopefully if we uncover some bugs it'll help improve the module for the sites I manage too, so it's beneficial.

                    Your code looks good to me, which worries me that there is some kind of a bug that I can't seem to duplicate when I test

                    Some questions:
                    • before you submit the form, if you go to the browser devtools, do you see that the `GoogleReCaptchaResponse` field is filled in with a huge string of gibberish?
                    • do you see any errors in the dev tools javascript console?
                      • I'm wondering if the code that uses `grecaptcha` is running *before* the `grecaptcha` function is even defined, which should trigger an error. I was just checking one of the sites I have this installed on, and I see I put in an interval that checks if `grecaptcha` is defined before calling it. I could have done that out of habit, but maybe I did it specifically because I found it wasn't defined in time..
                    • is it possible you're waiting a long time between page load and form submit? I think that token expires, so I had to set some of my forms to grab a new token on button-click
                    • I assume your admin page look something like the image below..
                    Here's a quick rewrite of the code I'm using that has an interval to wait to make sure `grecaptcha` is defined. I happen to be using jQuery to load the script dynamically, but that's not too important.. In either scenario it's probably not a bad idea to use an interval so you're 100% sure your code only runs after `grecaptcha` exists..

                    Code:
                    $.getScript( "https://www.google.com/recaptcha/api.js?render=asdfasdf", function(){
                       (function() {
                          var gRecaptchaLoading = setInterval(function() {
                             if (typeof(grecaptcha) != "undefined") {
                                clearInterval(gRecaptchaLoading);
                                grecaptcha.ready(function() {
                                   grecaptcha.execute( "asdfasdf", {action: 'ActionName'}).then(function(token) {
                                      jQuery("input[name='GoogleReCaptchaResponse']").val( token );
                                   });
                                });
                             }
                          }, 100);
                       })();
                    });
                    and here's the image of how my admin screen looks:

                    mivaAdminView.jpg
                    Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                    Comment


                      Mike521w Thank you again for the response.

                      For the devtools location you are looking for, are you talking about the elements inspector of the login page, within the form section? If so, all that line says is <input type="hidden" name="GoogleReCaptchaResponse" value="LOGN"> == $0. Let me know if you are looking for a different spot. I can't post screenshots, so I have to copy and paste.

                      I do not see any errors in console, with or without LOGN active in admin console.

                      My testing consists of loading the login page, enabling "LOGN" in the admin console, and then proceeding to login... and then quickly taking "LOGN" back out when it sends me to a 403 so that legitimate users don't get the redirect. All of this maybe takes 15 seconds at the most from loading the login page. So I don't believe it to be an expiration issue.

                      My admin page looks identical except I only have access to version 1.0, so no "On failed" and "Auto Valid."

                      I don't know if this helps, but, different from what I originally first posted, I AM getting hits on my reCaptcha admin page now. I do see rejected hits and accepted hits. What I am glad about is that it looks like most of the many hits are below threshold, which means this implementation should work wonders for me.

                      Tom

                      Comment


                        ok I think I know what the problem is - that hidden field definitely shouldn't say `value="LOGN"`, it's supposed to get changed to something like `value="asdfasdfasdf123412341234"`. The token google sends back is supposed to go there.

                        I think the problem is with the selector in the javascript. You're using the code I added in one of the posts above, which makes perfect sense, unfortunately I set that code up to look for a specific element ID, I shouldn't have done that.

                        Anyway, in the javascript, can you change this line:

                        HTML Code:
                        jQuery("#LoginForm input[name='GoogleReCaptchaResponse']").val( token );
                        to this:

                        HTML Code:
                        jQuery("input[name='GoogleReCaptchaResponse']").val( token );
                        After you make that change, you should see that field get filled with gibberish in the dev tools, and then when you hit submit it should work better
                        Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                        Comment


                          Mike521w Thank you so much!! That was the fix.

                          I am currently converting the embedded JS to a modular JS file to be used in the CSS/Javascript Resources for MIVA. I am hoping to make a version that is generic across multiple pages and just requires only <input type="hidden" name="GoogleReCaptchaResponse" value="" /> in the forms that you want to use recaptcha on, and the JS does the rest. It seems mostly done and makes it even easier to deploy, calls on form post rather than load to avoid token timeout, allows you to use it with multiple forms on the same page (such as login and create account being on the same page), and allows you to separately track results from different "actions:" through the ReCaptcha admin console.

                          I'll post the code when it is done! I hope it helps other people deploy your amazing utility.

                          Tom
                          Last edited by RaguTom; 06-29-23, 02:46 PM.

                          Comment


                            that's great news! And good idea about setting it up so it can work sort of universally.

                            I was thinking about updating the module so the user interface in admin is easier to make sense of (one row per watched-action), instead of comma-separating all the actions / numbers etc. But Miva has their own recaptcha module coming out in a few days so that might end up being better anyway
                            Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                            Comment


                              Mike521w Well Mike..... would have been good to lead with that!!!! HAHA!
                              Regardless, I am committed now! There is no telling if the Miva implementation will be intrusive or not. V3 is just seamless and invisible.

                              I was going to copy and paste the contents of the comma separated list into a var at the top of the JS so the script knows what forms to hook a listener to. However, is there any way for me to programmatically call the list that is already saved in the utility from within JS? It seems like that wouldn't be possible, but I do not know the MIVA inner workings like that. The other way I can do it is iterate through the list of elements until I find a form that contains an element with the name "GoogleReCaptchaResponse"

                              Comment


                                haha yea I just read about it on another thread here the other day, I'm looking forward to trying it out but I doubt I'll make changes to existing sites since this module has been working fine for so long

                                About making the watched-action list available to javascript, I don't think there's an easy way right now.. I just took a quick look at the PROD page token list as an example, and the recaptcha module's watched-action list isn't available, which is kind of what I was expecting. Off the top of my head I think that list is only accessed either A) when you're in the admin screen making changes, or B) behind the scenes when an action is triggered.. I don't think it ever becomes available to template code etc

                                So your idea about finding all the `GoogleReCaptchaResponse` inputs is probably best
                                Looking for work as of March 2024! I've been a web developer for going on 20 years, with most of that time spent on Miva sites.

                                Comment

                                Working...
                                X