I have the source code too and checked it already. The gist of the code is:
if subform:
if captcha fails:
feedback = "Failed recaptcha test"
...
if feedback!='Failed recaptcha test' (&& other stuff)
do subscribe
edit: misread the code and formatting on HN didn't even show my intent, but the subform check doesn't contain the subscribe logic. The bug is clearly that it doesn't check if the captcha has passed.
And the point is that anyone with even a modicum of dev experience can remove the `subform` field and automate submission to the otherwise-standard form and completely bypass ReCAPTCHA.
The issue goes even deeper: if subform is set to no then sendy considers the user as added via api. This should mean that it would verify_api_key before allowing such a submission, but sendy doesn't verify the API key for subscribe calls (doh!). Old forum posts suggest that double-opt-in is a solution, however not only can you bypass the captcha and form with subform=no, you can also bypass double-opt-in via the subscribe API by sending silent=true in your POST.
if subform:
... if feedback!='Failed recaptcha test' (&& other stuff) edit: misread the code and formatting on HN didn't even show my intent, but the subform check doesn't contain the subscribe logic. The bug is clearly that it doesn't check if the captcha has passed.