Коментарі для запису: MoBiC-04: reCaptcha CAPTCHA bypass

Коментарі для запису: MoBiC-04: reCaptcha CAPTCHA bypass http://websecurity.com.ua/1505/ Fri, 12 Mar 2010 20:26:03 +0000 http://wordpress.org/?v=MustLive Edition від: unknown http://websecurity.com.ua/1505/#comment-307996 Fri, 25 Dec 2009 06:12:44 +0000 http://websecurity.com.ua/1505/#comment-307996 hello, i need to bypass chapcha on this page, im not quiete sure how to do so. is it still possible? thank you RRR hello,

i need to bypass chapcha on this page, im not quiete sure how to do so.

is it still possible?

thank you
RRR

]]> від: Ben Maurer http://websecurity.com.ua/1505/#comment-76727 Thu, 08 Nov 2007 22:38:07 +0000 http://websecurity.com.ua/1505/#comment-76727 Actually, the reCAPTCHA plugin is a "subplugin" of the CAPTCHA plugin. So the CAPTCHA plugin hole (which was fixed months ago) is the real cause of the problem. reCAPTCHA actually gives admins better tools than most CAPTCHAs to enforce security. As an example, reCAPTCHA takes care of duplicate solutions, preventing the site administrators from needing to worry about this. Full disclosure is a good practice. What is not a good practice is full disclosure before notifying the authors of the code in question and giving them a chance to fix it. I really hope you'll reconsider this for the future. Actually, the reCAPTCHA plugin is a “subplugin” of the CAPTCHA plugin. So the CAPTCHA plugin hole (which was fixed months ago) is the real cause of the problem.

reCAPTCHA actually gives admins better tools than most CAPTCHAs to enforce security. As an example, reCAPTCHA takes care of duplicate solutions, preventing the site administrators from needing to worry about this.

Full disclosure is a good practice. What is not a good practice is full disclosure before notifying the authors of the code in question and giving them a chance to fix it. I really hope you’ll reconsider this for the future.

]]> від: MustLive http://websecurity.com.ua/1505/#comment-76726 Thu, 08 Nov 2007 21:49:32 +0000 http://websecurity.com.ua/1505/#comment-76726 <strong>Ben</strong> It's good that you responded. As I wrote in my article after I found this hole at keng.ws, I also tested at some others sites which use reCaptcha and they were not vulnerable to this hole. So it's some issue at this site (with plugin or with Drupal) and it's possible that there are many sites with such hole. At page on which you referred to said that problem not in Drupal itself (Drupal core is not affected), but in Captcha plugin. So it's plugin issue, not engine, as developers said. And it's another plugin, than reCaptcha. So in case if it's the same issue, than the hole is in Captcha plugin and in reCaptcha plugin (for Drupal, and there is possibility that plugins for others CMS can have such hole too). Man, I'm not just blogging like you said. It is a project - <a href="/1492/" rel="nofollow">Month of Bugs in Captchas</a>. And in this project, like in my previous project <a href="/category/moseb/" rel="nofollow">Month of Search Engines Bugs</a>, I'm using full disclosure. So all information posted with details. But I'm trying to inform beforehand every participant of the project (owners of the sites with vulnerable captchas) about holes at their sites. From your side, you need to work that every plugin and every engine which use reCaptcha have no such Insufficient Anti-automation vulnerablities. And inform every site's admin which has vulnerable reCaptcha setup about that. Ben

It’s good that you responded. As I wrote in my article after I found this hole at keng.ws, I also tested at some others sites which use reCaptcha and they were not vulnerable to this hole. So it’s some issue at this site (with plugin or with Drupal) and it’s possible that there are many sites with such hole.

At page on which you referred to said that problem not in Drupal itself (Drupal core is not affected), but in Captcha plugin. So it’s plugin issue, not engine, as developers said. And it’s another plugin, than reCaptcha. So in case if it’s the same issue, than the hole is in Captcha plugin and in reCaptcha plugin (for Drupal, and there is possibility that plugins for others CMS can have such hole too).

Man, I’m not just blogging like you said. It is a project - Month of Bugs in Captchas. And in this project, like in my previous project Month of Search Engines Bugs, I’m using full disclosure. So all information posted with details. But I’m trying to inform beforehand every participant of the project (owners of the sites with vulnerable captchas) about holes at their sites. From your side, you need to work that every plugin and every engine which use reCaptcha have no such Insufficient Anti-automation vulnerablities. And inform every site’s admin which has vulnerable reCaptcha setup about that.

]]> від: Ben Maurer http://websecurity.com.ua/1505/#comment-73262 Mon, 05 Nov 2007 19:23:47 +0000 http://websecurity.com.ua/1505/#comment-73262 Hi, I'm one of the engineers on reCAPTCHA. This issue appears to be drupal.org/node/114364. It is a security flaw in the drupal code rather than the reCAPTCHA plugin. In the future, we'd appreciate disclosure of potential security issues via support@recaptcha.net rather than by blogging. Hi,

I’m one of the engineers on reCAPTCHA. This issue appears to be drupal.org/node/114364. It is a security flaw in the drupal code rather than the reCAPTCHA plugin.

In the future, we’d appreciate disclosure of potential security issues via support@recaptcha.net rather than by blogging.

]]>