July 7, 2026
Captcha Bypass
Title: Complete Captcha Bypass on Publisher Registration Endpoint /webapi/auth/publisher leading to Mass Account Creation
By Ahemd ashraf
Vulnerability Type: Improper Authentication / Business Logic Flaw
Description: The application implements Google reCAPTCHA on the publisher registration page ([https://srm.cleeng.com/)](https://srm.cleeng.com/](https://srm.cleeng.com/))) to prevent automated account creation. However, the backend server at api.cleeng.com fails to validate the g-recaptcha-response parameter. An attacker can intercept the registration request, leave the captcha parameter completely empty (""), and successfully register an unlimited number of publisher accounts automatically.
Steps to Reproduce:
Navigate to the publisher registration page.
Fill in the registration details and intercept the request using Burp Suite before solving the captcha.
In the intercepted POST request to /webapi/auth/publisher, modify the payload to make the captcha parameter empty: "g-recaptcha-response": ""
Change the email address to a new one and send the request.
Notice that the server responds with HTTP/2 200 OK and successfully creates the account, returning a new publisherId (e.g., 654631087), completely bypassing the captcha restriction.
Impact: An attacker can utilize a simple script to register thousands of automated publisher accounts. This can lead to database inflation, business logic disruption, and financial/resource exhaustion on the underlying AWS API Gateway infrastructure.
Remediation: The backend code must strictly validate the g-recaptcha-response token on the server-side by making a server-to-server request to Google's reCAPTCHA API ([https://www.google.com/recaptcha/api/siteverify).](https://www.google.com/recaptcha/api/siteverify](https://www.google.com/recaptcha/api/siteverify)).) If the token is empty, missing, or invalid, the request must be rejected with an HTTP 400 or 403 Forbidden erro