Critical security vulnerability in reCAPTCHA Enterprise

Asked 11/1, 2024 at 8:29 Answered 1/7, 2024 at 7:39

Solved android flutter firebase firebase-authentication

I am building a Flutter app, and I am using Firebase Auth for authentication. I recently deployed my Flutter application via the play store, but got the following message:

Your latest production release (106 (1.9.4)) contains SDK issues: com.google.android.recaptcha:recaptcha:18.1.2 This SDK version has a note from the SDK developer. Here's what the SDK developer told us:

A critical security vulnerability was discovered in reCAPTCHA Enterprise for Mobile. The vulnerability has been patched in the latest SDK release. Customers will need to update their Android application with the reCAPTCHA Enterprise for Mobile SDK, version 18.4.0 or above. We strongly recommend you update to the latest version as soon as possible.

How can I fix this problem? I am already using the latest version of flutter and firebase auth. My flutter doctor is coming back all healthy. My build.gradle files don't contain any references to reCAPTCHA. From what I can tell, the entire reCAPTCHA setup is handled by firebase?

Stereotyped answered 11/1, 2024 at 8:29 Comment(5)

The answer is right there in the message: "Customers will need to update their Android application with the reCAPTCHA Enterprise for Mobile SDK, version 18.4.0 or above. We strongly recommend you update to the latest version as soon as possible." As shown earlier in that same message, you're currently using version 18.1.2. Upgrade to 18.4.0 or higher. – Tegument 11/1, 2024 at 11:54

@MarkRotteveel: Yup. This makes sense, but I am still confused why firebase auth would not handle this? That service is used by millions of people every day. How can it be that I have to keep the package dependencies updated? It feels like there is something deeper wrong with my setup. – Stereotyped 11/1, 2024 at 13:11

@MartinReindl What, you want someone else to change versions of packages on you without any predictability or control? No thanks. – Counter 22/1, 2024 at 2:31

Refer the link for latest answer: https://mcmap.net/q/622920/-critical-security-vulnerability-in-recaptcha-enterprise – Ruvolo 4/4, 2024 at 10:22

@MarkRotteveel The issue is resolved in the latest firebase-auth library. I have updated the firebase-auth previouly was '22.0.0' and now '23.0.0'. To make sure that the issue is resolved you can run gradle tasks by executing ./gradlew app:dependencies command – Porphyritic 9/8, 2024 at 7:40

Update: It has been fixed in the latest version of firebase_auth.

As answered by Martin Reindl, you can override reCaptcha version by adding recaptcha_enterprise_flutter: ^18.4.0 or implementation 'com.google.android.recaptcha:recaptcha:18.4.0' in dependencies section of your app-level build.gradle file.

This happens because the last version firebase auth, uses recaptcha:18.1.2.

In this github issue it is confirmed that the fix is scheduled for the next release.

Pox answered 12/1, 2024 at 10:35 Comment(4)

i dont use recaptcha library. do i need to install recaptcha_enterprise_flutter: ^18.4.0 ? is it that necessary ? @AbhinavSingh or should i use just implementation 'com.google.android.recaptcha:recaptcha:18.4.0' ? – Baluchistan 20/3, 2024 at 6:47

Refer the link for latest answer: https://mcmap.net/q/622920/-critical-security-vulnerability-in-recaptcha-enterprise – Ruvolo 4/4, 2024 at 10:22

Now there's no need to do both. U just need to update firebase_auth package to the latest version and it will fix this. – Pox 5/4, 2024 at 13:45

@GajananShinde There is no need to add the recaptcha dependency separately to your app's build.gradle file. Just update the firebase-auth to the latest version and the issue will be solved – Porphyritic 9/8, 2024 at 7:43

I solved this by adding the package: recaptcha_enterprise_flutter. This forced the upgrade to 18.4.0.

I would still appreciate a more complete answer of why this is happening? It seems incredibly odd that I have to patch security issues in firebase auth manually (when the service is used by tens of millions of users every day).

Stereotyped answered 11/1, 2024 at 13:15 Comment(1)

https://mcmap.net/q/622920/-critical-security-vulnerability-in-recaptcha-enterprise – Ruvolo 4/4, 2024 at 10:21

To solve the above issue in your flutter app:

Update firebase_auth to the latest version.
Update your gradle version to 7.4.2 or above.

Ruvolo answered 3/4, 2024 at 12:55 Comment(0)

As the quickest and simplest solution I added implement com.google.android.recaptcha:recaptcha:18.4.0 to build.gradle although I am not using recaptcha in my app. This method worked and the warning was gone

Guarino answered 18/1, 2024 at 2:20 Comment(1)

It seems a temporary patch work. – Ruvolo 4/4, 2024 at 10:20

They have fixed it already on the latest SDK

if you are using firebase-bom version 32.0.0 or lesser than that upgrade to 32.8.0

  implementation(platform("com.google.firebase:firebase-bom:32.8.0"))

Poky answered 8/4, 2024 at 7:8 Comment(1)

I am having the same issue in my Android App but I am not using "firebase-bom" dependency in my build.gradle(app) – Porphyritic 9/8, 2024 at 7:13

There are two solutions,

1. Without updating your firebase bom version, add reCaptcha dependency.

 implementation 'com.google.android.recaptcha:recaptcha:18.4.0'

2. Simply update the firebase bom versions to 32.8.0 or later.

BEFORE

implementation platform('com.google.firebase:firebase-bom:32.3.1')

AFTER

implementation platform('com.google.firebase:firebase-bom:32.8.0')

Ephesians answered 1/7, 2024 at 7:39 Comment(0)

Recommended topics

Hot tags