LearnWPF.com my WPF community site was recently featured in the “month of bugs in captures” on websecurity.com.ua. Essentially they’re picking existing CAPTCHA implementations and picking holes in them. They wouldn’t have had to pick too hard or far - LearnWPF’s CAPTCHA implementation is only marginally more difficult to break that Jeff Atwood or Leon Bambrick, who both use hard-coded words. For LearnWPF the CAPTCHA word is embedded in the HTML, and passed to the handler that creates the image via the URI (or at least it USED to work that way). This is an intentionally naive implementation - CAPTCHAs don’t have to be convoluted to be effective, and until the websecurity.com.au folks were kind enough to post a link about how bad it was on their site it had done a pretty good job keeping out spam. The CAPTCHA code was build into my friend Darren Neimke’s Single User Blog (which LearnWPF runs on) and I’d never bothered to change it….until tonight! I hope I’m not misrepresenting Darren here, but I see him as a great minimalist - he writes simple code that mostly works (which is why his CAPTCHA is so basic). Thus it was trivial to change the CAPTCHA to work in a different way that would NOT expose the “are you actually human” word or not. For good measure I changed the background colours of the generated image to fit in more with my site theme, and also randomized the font, for a total of about 15 minutes of dev effort (plus or minus a few hours of effort to deploy the updated app to the interwebs). There is one pretty large “environmental assumption” baked in to the implementation - that the browser accepts cookies (a free hint I’m giving out to those 133t security guys on how this crazy code might be implemented). I look forward to seeing how the websecurity folk break* it now (or alternatively I’ll be cursing my own hubris in the morning when I hear about how the site is totally b0rk3d from the update).
* most of the websecurity links to scripts that “break” other captchas don’t seem to work, but I try hard not to be too critical of the work of others.
Comments
>This guy is out of line. Proper
>security etiquite … etc.
At first I thought – Yeh! This guy is out of line! But on reflection…
I think taking the time to notify the people in advance would cost a certain amount of effort – whereas the total damage done in this particular case is pretty small. So the guy has taken a risk, but only a small one.
And his method has been very effective.
I once privately notified a large and important site about their vulnerability to XSS and SQL-Injection – their response: so what? our data is not all that valuable. This included billing information for people such as myself.
This guy is out of line. Proper security etiquite is to notify you of the hole privatley and letting you close it before posting to the world.
Regards,
Bruce