CAPTCHA - I think they might figure it out....



  • <?php  $code = substr(md5(mt_rand()),0,5); ?>

    Verification: <input type='text' name='verification' size='18' maxlength='100' >

    <br/>

    <img src='/image.php?randcode=<?php echo $code ?>

    <input type=hidden name=code value=<?php echo $code) ?> />

    ...

    And when the form is submitted:

    if ($_POST['code'] !== $_POST['verification'])
       // some error handling that isn't good either

     

    So take a MD5 of a random number-- take the first 5 characters, randomly generate a CAPTCHA image with those 5 characters-- then send the plaintext code to the browser.  Not that it matters, since the must-match-to is sent back by the client.

    The rest of the form isn't much better.

    As for me?  In greasemonkey:

    document.getElementsByName('verification'][0].value = document.getElementsByName('code')[0].value;

    Go hacker me. =(



  • The point is that automated programs that aren't specifically designed for this form won't be able to cause any damage by entering random data into the form.



  •  Then why bother with a randomly generated (and hard to read) image at all? 

    Why not just plaintext on the screen that says "Type the word DOG into this box: [   ]".

    Any drive-by would still fail.  Anyone with any intention of abusing the form could still do so as easily as the current system.  Valid users of the form are less pissed off.

    Oh, another fun one I just noticed.  The handler does some rudimentary spam-checking based on the HTTP referer.  Except not.  It does the checking based on $_POST['someObscureField'], which is a hidden field on the form-- which is populated with the referer when the contact form is requested.

     So they've just made it EASIER to spoof the referer...



  • @halcyon1234 said:

    Then why bother with a randomly generated (and hard to read) image at all?

    That's in case you don't want any automated programs at all, depend on whether or not you want legitimate programs or no programs. It also depends if you browse with images turned off.



  • @zzo38 said:

    That's in case you don't want any automated programs at all, depend on whether or not you want legitimate programs or no programs. It also depends if you browse with images turned off.
    I think you're still missing the point.  The way this "CAPTCHA" has been implemented, it's actually easier for bots to pass it than for humans.  Sort of a "reverse CAPTCHA", really.

    The "type DOG in this box" method would be just as effective at blocking bots (i.e. it'd stop naive bots not aware of it, but would be trivial to circumvent) while being much easier for humans (especially the blind ones).



  • @vyznev said:

    The "type DOG in this box" method would be just as effective at blocking bots (i.e. it'd stop naive bots not aware of it, but would be trivial to circumvent) while being much easier for humans (especially the blind ones).

    This reminds me of Jeff Atwood's "CAPTCHA" that he had on his blog for years (and he may still).   It was very successful at stopping bots but the comments were riddled with useless posts by people who thought it was broken.  The irony of that always amused me greatly.



  •  orange? I think he switched to recaptcha some time ago.



  •  Yes, Morbius, how dare younot be up to date in your knowledge of Jeff Atwood's CAPTCHA practices.You're a bot, aren't you? I knew it.



  • @morbiuswilters said:

    @vyznev said:

    The "type DOG in this box" method would be just as effective at blocking bots (i.e. it'd stop naive bots not aware of it, but would be trivial to circumvent) while being much easier for humans (especially the blind ones).

    This reminds me of Jeff Atwood's "CAPTCHA" that he had on his blog for years (and he may still).   It was very successful at stopping bots but the comments were riddled with useless posts by people who thought it was broken.  The irony of that always amused me greatly.

     

    Once his blog reached critical suck mass, he had to change it because the bots had figured it out.  Or maybe he just got sick of all the stupid "orange" comments.

    When I first opened this thread I thought I was reading about a hidden (JavaScript) captcha, which can be pretty effective at stopping most bots while being completely invisible to most users.  It's actually possible that that's what this example really is, just not the best implementation, and the rest of the JS is missing from the post.  Then again, it could just be exactly what it looks like - a worse-than-useless square wheel chiseled out by someone without any understanding of web security.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.