Announcement

Collapse
No announcement yet.

Someone is creating new fake customers accounts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • ids
    replied
    Just recently had this issue mostly solved with a client. Generally, fake accounts were being created and accounts were being password tested. The solution turned out to be Cloudflare DNS. The free version was all that was needed to have a secure DNS. CF seems to do a good job of keeping out the bad bots, etc.

    Scott

    Leave a comment:


  • lesliekirk
    replied
    Originally posted by Rick Wilson View Post
    Ours is done FWIW and will be available on Monday.
    I wonder if we need to move or start this thread up in the Miva 10 forum - so as not to confuse those who might be looking for an MM10 solution. This thread has been going on since 2019.

    Leave a comment:


  • RaguTom
    replied
    Rick Wilson Thanks!! I will definitely check it out.

    Leave a comment:


  • Rick Wilson
    replied
    Ours is done FWIW and will be available on Monday.

    Leave a comment:


  • RaguTom
    replied
    Mike521w So this is what I came up with: The JS contains everything you need to interact with the module. You no longer need to make any modification or entries to the pages themselves. There is a small section at the top of the JS that defines your settings. Settings are API endpoint, site key, and desired action watch list that can either be every default action OR just the same actions that you define in the module. The JS loads the API into memory on page load. Then it scans the page for those Miva hidden action value = "LOGN" (or which ever) inputs that are in the forms. It compares what it finds on the page to the list of monitored actions placed at the top of the JS file. It then creates the hidden input entry for the token that would normally be manually entered into the HTML. Then it attaches an event to the submit action of the form, interrupts the default submit, sends and waits for the token, and then programmatically "submits" the form.

    When you add the JS to the Miva resources, you have to enable it for every page you want the JS to run on. I guess you could leave it global, but I chose not to. You also need to select the Resource Group for the JS to be in the head_tag.

    Seems to work well so far!

    Leave a comment:


  • Mike521w
    replied
    haha yea I just read about it on another thread here the other day, I'm looking forward to trying it out but I doubt I'll make changes to existing sites since this module has been working fine for so long

    About making the watched-action list available to javascript, I don't think there's an easy way right now.. I just took a quick look at the PROD page token list as an example, and the recaptcha module's watched-action list isn't available, which is kind of what I was expecting. Off the top of my head I think that list is only accessed either A) when you're in the admin screen making changes, or B) behind the scenes when an action is triggered.. I don't think it ever becomes available to template code etc

    So your idea about finding all the `GoogleReCaptchaResponse` inputs is probably best

    Leave a comment:


  • RaguTom
    replied
    Mike521w Well Mike..... would have been good to lead with that!!!! HAHA!
    Regardless, I am committed now! There is no telling if the Miva implementation will be intrusive or not. V3 is just seamless and invisible.

    I was going to copy and paste the contents of the comma separated list into a var at the top of the JS so the script knows what forms to hook a listener to. However, is there any way for me to programmatically call the list that is already saved in the utility from within JS? It seems like that wouldn't be possible, but I do not know the MIVA inner workings like that. The other way I can do it is iterate through the list of elements until I find a form that contains an element with the name "GoogleReCaptchaResponse"

    Leave a comment:


  • Mike521w
    replied
    that's great news! And good idea about setting it up so it can work sort of universally.

    I was thinking about updating the module so the user interface in admin is easier to make sense of (one row per watched-action), instead of comma-separating all the actions / numbers etc. But Miva has their own recaptcha module coming out in a few days so that might end up being better anyway

    Leave a comment:


  • RaguTom
    replied
    Mike521w Thank you so much!! That was the fix.

    I am currently converting the embedded JS to a modular JS file to be used in the CSS/Javascript Resources for MIVA. I am hoping to make a version that is generic across multiple pages and just requires only <input type="hidden" name="GoogleReCaptchaResponse" value="" /> in the forms that you want to use recaptcha on, and the JS does the rest. It seems mostly done and makes it even easier to deploy, calls on form post rather than load to avoid token timeout, allows you to use it with multiple forms on the same page (such as login and create account being on the same page), and allows you to separately track results from different "actions:" through the ReCaptcha admin console.

    I'll post the code when it is done! I hope it helps other people deploy your amazing utility.

    Tom
    Last edited by RaguTom; 06-29-23, 02:46 PM.

    Leave a comment:


  • Mike521w
    replied
    ok I think I know what the problem is - that hidden field definitely shouldn't say `value="LOGN"`, it's supposed to get changed to something like `value="asdfasdfasdf123412341234"`. The token google sends back is supposed to go there.

    I think the problem is with the selector in the javascript. You're using the code I added in one of the posts above, which makes perfect sense, unfortunately I set that code up to look for a specific element ID, I shouldn't have done that.

    Anyway, in the javascript, can you change this line:

    HTML Code:
    jQuery("#LoginForm input[name='GoogleReCaptchaResponse']").val( token );
    to this:

    HTML Code:
    jQuery("input[name='GoogleReCaptchaResponse']").val( token );
    After you make that change, you should see that field get filled with gibberish in the dev tools, and then when you hit submit it should work better

    Leave a comment:


  • RaguTom
    replied
    Mike521w Thank you again for the response.

    For the devtools location you are looking for, are you talking about the elements inspector of the login page, within the form section? If so, all that line says is <input type="hidden" name="GoogleReCaptchaResponse" value="LOGN"> == $0. Let me know if you are looking for a different spot. I can't post screenshots, so I have to copy and paste.

    I do not see any errors in console, with or without LOGN active in admin console.

    My testing consists of loading the login page, enabling "LOGN" in the admin console, and then proceeding to login... and then quickly taking "LOGN" back out when it sends me to a 403 so that legitimate users don't get the redirect. All of this maybe takes 15 seconds at the most from loading the login page. So I don't believe it to be an expiration issue.

    My admin page looks identical except I only have access to version 1.0, so no "On failed" and "Auto Valid."

    I don't know if this helps, but, different from what I originally first posted, I AM getting hits on my reCaptcha admin page now. I do see rejected hits and accepted hits. What I am glad about is that it looks like most of the many hits are below threshold, which means this implementation should work wonders for me.

    Tom

    Leave a comment:


  • Mike521w
    replied
    Hi RaguTom , no problem at all, I'm glad to help, and hopefully if we uncover some bugs it'll help improve the module for the sites I manage too, so it's beneficial.

    Your code looks good to me, which worries me that there is some kind of a bug that I can't seem to duplicate when I test

    Some questions:
    • before you submit the form, if you go to the browser devtools, do you see that the `GoogleReCaptchaResponse` field is filled in with a huge string of gibberish?
    • do you see any errors in the dev tools javascript console?
      • I'm wondering if the code that uses `grecaptcha` is running *before* the `grecaptcha` function is even defined, which should trigger an error. I was just checking one of the sites I have this installed on, and I see I put in an interval that checks if `grecaptcha` is defined before calling it. I could have done that out of habit, but maybe I did it specifically because I found it wasn't defined in time..
    • is it possible you're waiting a long time between page load and form submit? I think that token expires, so I had to set some of my forms to grab a new token on button-click
    • I assume your admin page look something like the image below..
    Here's a quick rewrite of the code I'm using that has an interval to wait to make sure `grecaptcha` is defined. I happen to be using jQuery to load the script dynamically, but that's not too important.. In either scenario it's probably not a bad idea to use an interval so you're 100% sure your code only runs after `grecaptcha` exists..

    Code:
    $.getScript( "https://www.google.com/recaptcha/api.js?render=asdfasdf", function(){
       (function() {
          var gRecaptchaLoading = setInterval(function() {
             if (typeof(grecaptcha) != "undefined") {
                clearInterval(gRecaptchaLoading);
                grecaptcha.ready(function() {
                   grecaptcha.execute( "asdfasdf", {action: 'ActionName'}).then(function(token) {
                      jQuery("input[name='GoogleReCaptchaResponse']").val( token );
                   });
                });
             }
          }, 100);
       })();
    });
    and here's the image of how my admin screen looks:

    mivaAdminView.jpg

    Leave a comment:


  • RaguTom
    replied
    Mike521w

    First, thank you for the response and investigation. This is pretty generic Miva code, so I have posted it here. If we can find out what I did wrong, it may help others too. I have removed the keys. Bolded lines are added to the original LOGN page.

    LOGN Page:

    Code:
    <form method="post" action="&mvte:url;">
    <fieldset>
    <legend>&mvt:page:name;</legend>
    <input type="hidden" name="Action" value="LOGN" />
    <input type="hidden" name="GoogleReCaptchaResponse" value="" />
    <div class="c-form-list">
    <div class="c-form-list__item">
    <label class="c-form-label u-font-tiny u-text-bold u-text-uppercase is-required &mvt:global:invalid_credentials;" for="Customer_LoginEmail_LOGN">Account Email Address</label>
    <input id="Customer_LoginEmail_LOGN" class="c-form-input c-form-input--large" type="text" inputmode="email" name="Customer_LoginEmail" value="&mvte:global:Customer_LoginEmail;" autocomplete="email" required aria-required="true">
    </div>
    <div class="c-form-list__item">
    <label class="c-form-label u-font-tiny u-text-bold u-text-uppercase is-required &mvt:global:invalid_credentials;" for="Customer_Password">Password:</label>
    <mvt:if expr="g.Customer_Temporary_Password">
    <input type="hidden" name="Customer_Temporary_Password" value="&mvte:global:Customer_Temporary_Password;" autocomplete="off">
    <input type="hidden" name="Customer_Password" value="&mvte:global:Customer_Temporary_Password;" autocomplete="off">
    <input id="Customer_Password" class="c-form-input c-form-input--large" type="text" value="&mvte:global:Customer_Temporary_Password;" autocomplete="off" disabled readonly>
    <mvt:else>
    <input id="Customer_Password" class="c-form-input c-form-input--large" type="password" name="Customer_Password" autocomplete="current-password" required aria-required="true">
    </mvt:if>
    </div>
    <div class="c-form-list__item u-text-right">
    <mvt:item name="buttons" param="Login" />
    </div>
    </div>
    </fieldset>
    </form>
    LOGN Javascript at the end of the body:
    (The obvious typos below are intentional. Typ should have an 'e' and js should be script. The forums attempt to execute scripts or prevent JS from being posted)
    Code:
    <js src="https://www.google.com/recaptcha/api.js?render=*SITEKEY*"> </js>
    <js typ="text/javascript">
    grecaptcha.ready(function() {
    grecaptcha.execute( "*SITEKEY*", {action: 'AccountLogin'}).then(function(token) {
    jQuery("#LoginForm input[name='GoogleReCaptchaResponse']").val( token );
    });
    });
    </js>
    Module is set up with the correct keys and monitoring page is set up as LOGN at 0.3 threshold. I have to keep the monitoring page box blank currently until I am ready to test. Once I put LOGN in there, it sends everything to 403. As a side question, lets say that the Google recaptcha server is down, will this module force my logins to a 403 or will it just bypass the captcha with no response?

    Thanks!!!!
    Tom

    Leave a comment:


  • Mike521w
    replied
    scratch that, I'd just made a mistake with my form. It seems to still be working fine for me..

    sami so this is a year late, but your code looks good to me in general.. I see you're calling google when the user clicks the submit button, instead of on form submit.. I wonder if the form might somehow be getting submitted anyway, before the call to google completes?

    RaguTom I'm not sure exactly where the problem might be there. If you want to share some source code I could get a better idea - you can PM me if you prefer not to share here

    Leave a comment:


  • Mike521w
    replied
    Hi sami and RaguTom . Sorry for the delayed response, I often go many weeks without remembering to check the forums. I just checked one of the sites I manage, I thought the module was running fine all this time, but turns out it was set to just proceed even if the visitor failed validation. Once I set it to exit (trigger the 403) it did that for me even though I'm obviously not a bot.

    I'll tinker with it tonight and tomorrow, looks like I need an update of some kind but I'm not sure what/where/why

    Leave a comment:

Working...
X