listmonk icon indicating copy to clipboard operation
listmonk copied to clipboard
verified publisher icon knadh

Captcha tokens can be reused

Open zefir-git opened this issue 3 months ago • 2 comments

Version:

  • listmonk: v5.1.0 (30846f84 2025-09-09T17:48:45Z, linux/amd64)
  • OS: Docker (ubuntu)

Description of the bug and steps to reproduce: When Altcha is enabled, once you complete the captcha and submit a subscription form, you can then reuse the same captcha token to subscribe many other email addresses.

zefir-git avatar Sep 24 '25 23:09 zefir-git

Hi @zefir-git. Altcha uses proof-of-work on the client-side for verification and doesn't have any server-side token states.

That said, if I'm not understanding this correctly and there's indeed an issue, I request you to report it to Altcha (https://github.com/altcha-org/altcha) so that it can get fixed upstream.

knadh avatar Oct 25 '25 07:10 knadh

I don’t really understand how Altcha is supposed to work, but by completing a single captcha, an attacker can then reuse the token (without performing any additional effort) unlimited more times.

My intuition is that the purpose of the captcha is to prevent spam. If it is, it seems to fail in that regard. I haven’t looked at the code or into details about Altcha. Are you certain it is implemented correctly?

Are there any plans to support any other captchas?

zefir-git avatar Oct 25 '25 08:10 zefir-git