upickem CAPTCHA fail
Second Street Media Solutions has a service called upickem that runs voting sites for various groups, including one for the tbt*. A friend is in one of these contests so I have voted a few times (you can log a vote once per day). Strangely enough after a couple of rounds I have had autofill help out on the CAPTCHA and even more strangely it was right. I checked the source and found the problem: they simply use one of 30 sequentially named JPEG files to make what appears to be but really isn’t a CAPTCHA. This reeks of management saying, “do that thing where you type in what you see” and development faking it. Unsurprisingly, the use of custom subdomains was lazily implemented too–any other [sequential] ID can be subbed in and you can see other ongoing contests inside the wrong template.
The sad part is they charge money for this stuff. Well that’s not sad, the sad part is people actually pay for it.
Interesting discovery. This is why I am way more supportive of the ReCAPTCHA project. I didn’t know that anyone could half-ass a CAPTCHA implementation and now I see how it could be done.
~Joe
It happens more than you’d think, just usually not on commercial software. Not sure what it actually does because people who know how to write bots are probably clever enough to realize it’s just a couple of static images. Simply record each one, line them up with their hashes and you’re off to the races.