'Lack of CAPTCHA' is not always a valid vulnerability or risk
CAPTCHA is a valid security control. However, lack of it may not be a valid vulnerability in all cases and 'lack of CAPTCHA' is definitely not a risk. May be part of risk.
- It is applicable ONLY in few conditions, which means,
- 'Lack of CAPTCHA' may or may not be a valid vulnerability, and,
- 'Lack of CAPTCHA' is PART of risk, not 'the' risk.
Taxonomy first.
CAPTCHA - Google Support Team says that Completely Automated Public Turing test to tell Computers and Humans Apart (CAPTCHA) is a type of security control/measure (challenge-response authentication).
Vulnerability - weakness of an asset or control that can be exploited by one or more threats (https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en).
Risk - Effect of uncertainty on objectives (https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en). Can be positive or negative. Is incomplete without effect (impact) and uncertainty (probability of occurrence).
Lack of a control is only half-risk, the other half comes from impact (what is the effect of 'lack of CAPTCHA') combined with the context (the asset, any other factors, etc.). Whether it is a vulnerability, or a risk is determined by the context. 'Lack of CAPTCHA' is a valid vulnerability or not, depending on the context. It is NOT a valid risk, an incomplete part of a potentially valid risk, maybe.
CAPTCHA is used to minimize automated attacks on a dynamic page that accepts user inputs (e.g., a contact form, a login page, a search engine front page, etc.). In its absence, cyber-criminals (or bots run by them) can attack the dynamic page with an objective of compromising it (or the information behind it) or abusing it to retrieve information.
CAPTCHA is NOT a valid control if...
- ...the page (or site) doesn't have any dynamic forms or fields that accept user inputs. There is no reason to protect such a static website by CAPTCHA.
- ...the cost of CAPTCHA (cost of implementing it, maintaining updates, addressing any user queries, etc.) outweighs that of information (e.g., static site for an NGO). In this case, cost of control is more than the risk itself.
'Lack of CAPTCHA' is not a valid vulnerability if the site doesn't need it (e.g., static site of an NGO).
Risk is always characterized by impact and probability, which usually is depicted through a sentence. It is always the context that determines the risk, never the lack of control.
'Lack of CAPTCHA' is not a risk.
'Lack of CAPTCHA, with 40% chance of resulting in automated attacks, within the month, on the contact-us page, that may result in leak of email IDs & payment details of all European customers of our website, ending up in a GDPR violation and fine of 4% of our revenue of FY21-22' is a valid risk.
That '40% chance...' may come from other security controls like WAF (Web Application Firewall), while '...may result in leak of....' may come from a VAPT conducted few weeks ago.
