On the /login/signup.php, recaptcha failure does not prevent a bot from deducing that a username or email already exists. If Recaptcha is enabled and fails, Moodle should not validate the other fields yet to prevent enumeration of usernames and emails.
This means that a bot can just simply use the /login/signup.php page to analyze if a particular email already exists as a valid user on the site, simply by brute force. The recpatcha offers no protection against this. This would help attackers target specific users to attack on the site.
- Go to login/signup.php
- Enter an email address that you know already exists as a user.
- Fill in the rest of the sign up form.
- Submit the form and deliberately fail the recpatcha test (as a bot would)
- An error message appears saying "This email address is already registered. Perhaps you created an account in the past?"
This confirms that the email address is a valid user and can be used to target specific users to attack.