Absurdly easy to bypass

[maf1024]

Because the hash is calculated client-side, it's incredibly easy to automate form entry on any form using this by simply filling out the hash field:

$(".hasRealPerson").val("ABSURD");
$(".realperson-hash").val($.realperson._hash("ABSURD"));

An attacker doesn't even have to use javascript for submits, they can just use _hash once to figure out one matching pair of values, and then pass that into whatever app to keep making POST requests.

Even if the hash was calculated & salted server-side and the captcha was also generated server-side, there's still the absurd fact that the captcha text is presented as a series of predictable, easy-to-interpret, plaintext asterisk characters!

I'm sorry, but this entire plugin is laughable.

[iamvinny]

I just exploited a site that was using this project, took less than 5 minutes to figure it out, now I saw this issue from 4 years ago, I wonder why someone would still use it nowadays. Hahaha.

[johnsaigle]

All the way in 2021, this library is still being used. OP is correct in saying that there are numerous ways to bypass the CAPTCHA system used here.

If you're using this library currently, I'd recommend finding a different solution.