Google ReCAPTCHA v2 绕过

周一我部署了全新版本的网站。有受 Google ReCAPTCHA v2 Checkbox 保护的联系表。今天我收到了第一个.

我的意思是。这怎么可能？验证的后端实现如下，我相信没有谷歌的确认是不可能成功提交联系表的。

但是，垃圾邮件还是来了！

    $name = $_POST['person__name'] ?? throw new InvalidArgumentException();
    $phone = $_POST['person__phone'] ?? throw new InvalidArgumentException();
    $email = $_POST['person__email'] ?? throw new InvalidArgumentException();
    $message = $_POST['message'] ?? throw new InvalidArgumentException();
    $type = $_POST['message__type'] ?? throw new InvalidArgumentException();
    $captcha = $_POST['g-recaptcha-response'] ?? throw new InvalidArgumentException();

    $url = sprintf(
            'https://www.google.com/recaptcha/api/siteverify?secret=%s&response=%s',
        urlencode('SECRET_RECAPTCHA_KEY'),
        urlencode($captcha),
    );

    $response = json_decode(file_get_contents($url));

    if ($response->success !== true) {
        throw new InvalidArgumentException('Recaptcha');
    }