MoBiC-28: IPB CAPTCHA bypass
20:23 28.11.2007Next participant of the project is Invision Power Board captcha. Which is using at registration page. Vulnerable version is IPB 2.2.0 (and previous and possibly next versions). Forum engines also have vulnerable captchas.
Like Google said there are up to 3130000 sites in Internet on this forum engine. And including all those sites which use IPB, but have no “Powered by Invision Power Board” sign, there are potentially more millions of sites which are in risk with this insecure captcha.
This captcha is vulnerable for half-automated method. It is one of Advanced MustLive CAPTCHA bypass methods. This Insufficient Anti-automation hole I found 05.08.2007.
In half-automated method you need to prepare captchas image-code pairs beforehand (because of one-time captcha images). For bypassing you need to use new regid and reg_code values for every post. It’s not fully automated, but it’s still half-automated bypass (without using OCR, only using vulnerabilities in captcha directly). Those who don’t want to work by themselves, can use cheap work force to prepare image-code pairs or use OCR software (even for not real time recognition). If in case of personal captcha bypassing this method not too effective, then in case of using with cheap work force (or porn variant) or OCR it’s very effective method (and in this case it can be fully automated). And bad guys often use such techniques. That is why web developers need to improve their captchas which vulnerable to half-automated method - to prevent spam and other automated activity, if not OCR, then at the least work force and porn variants.
Insufficient Anti-automation:
This exploit for educational purposes only. Don’t use it for malicious purposes at any site on Invision Power Board.
You need to setup exploit to test it (set site’s URL and others data).
Moral: try to make more secure captchas.
P.S.
Also I prepared another vulnerabilities in one captcha. So wait for today’s bonus post .