Scott Arciszewski discovered the vulnerability on October 5th 2013 and contacted Pastebin immediately.
The team replied back to him in two days and assured the vulnerability will be reviewed. However, till the response team failed to respond back or patch the vulnerability following which Arciszewski decided to go for a full disclosure.
Scott Arciszewski noted in a mail to full disclosure mailing list:
"Hello all,After reading an article in Go Null Yourself about abusing PhpBB'sTell-a-Friend feature a while back, I've kept an eye out for ways to spampeople or bypass a website's flood protection. (Apologies to forummoderators everywhere!)
On October 5, I discovered a captcha bypass technique and promptly reportedit to the Pastebin staff. They responded on October 7 and said they wouldlook into it. It's November 27 and they still haven't fixed this (despiteme giving them the solution).
The technique (which is pretty lame and obvious):1. Authenticate with a Twitter/Facebook account2. Create a new paste3. Write something benign that will not trigger their spam filter4. Submit5. Immediately edit the paste6. Replace your benign message with whatever spammy filth you want!I'm not going to write a script to automate this, but it should be trivial.If nothing else, you can spare yourself the trouble of solving a captchanext time you decide to dump IRC logs or your rivals' mail spools andsomething happens to contain a hyperlink."
Happy thanksgiving,Scott Arciszewski
According to Scott the technique to bypass the captcha is pretty lame and obvious and could easily be automated to abuse the Captcha (Security) System.
Source: Techienews
Now, by all means; the vulnerability subjects related to CAPTCHA is nothing new, as you can read in the following articles. I also think that this SPAM-Security-"App" will counter some more in upcoming Future:
- Bypassing CAPTCHAs by Impersonating CAPTCHA Provider by McAfee
- Attacking CAPTCHAs for Fun and Profit by McAfee
- Captcha Cracked again by Allspammedup
- Cosine Security Blog
Keine Kommentare:
Kommentar veröffentlichen