Critical security vulnerability in reCAPTCHA Enterprise

Question

I am building a Flutter app, and I am using Firebase Auth for authentication. I recently deployed my Flutter application via the play store, but got the following message:

Your latest production release (106 (1.9.4)) contains SDK issues: com.google.android.recaptcha:recaptcha:18.1.2 This SDK version has a note from the SDK developer. Here's what the SDK developer told us:

A critical security vulnerability was discovered in reCAPTCHA Enterprise for Mobile. The vulnerability has been patched in the latest SDK release. Customers will need to update their Android application with the reCAPTCHA Enterprise for Mobile SDK, version 18.4.0 or above. We strongly recommend you update to the latest version as soon as possible.

How can I fix this problem? I am already using the latest version of flutter and firebase auth. My flutter doctor is coming back all healthy. My build.gradle files don't contain any references to reCAPTCHA. From what I can tell, the entire reCAPTCHA setup is handled by firebase?

Answer 1

Update: It has been fixed in the latest version of firebase_auth.

As answered by Martin Reindl, you can override reCaptcha version by adding recaptcha_enterprise_flutter: ^18.4.0 or implementation 'com.google.android.recaptcha:recaptcha:18.4.0' in dependencies section of your app-level build.gradle file.

This happens because the last version firebase auth, uses recaptcha:18.1.2.

In this github issue it is confirmed that the fix is scheduled for the next release.

Answer 2

I solved this by adding the package: recaptcha_enterprise_flutter. This forced the upgrade to 18.4.0.

I would still appreciate a more complete answer of why this is happening? It seems incredibly odd that I have to patch security issues in firebase auth manually (when the service is used by tens of millions of users every day).