Captcha Backdoor Vulnerability in Pastebin discovered

A Security Researcher has discovered a captcha bypass vulnerability in Pastebin and has decided for full disclosure as the online pasting tool has failed to resolve the issue even after multiple reminders.

Scott Arciszewski discovered the vulnerability on October 5th 2013 and contacted Pastebin immediately.

The team replied back to him in two days and assured the vulnerability will be reviewed. However, till the response team failed to respond back or patch the vulnerability following which Arciszewski decided to go for a full disclosure.

Scott Arciszewski noted in a mail to full disclosure mailing list:
"Hello all,
After reading an article in Go Null Yourself about abusing PhpBB's
Tell-a-Friend feature a while back, I've kept an eye out for ways to spam
people or bypass a website's flood protection. (Apologies to forum
moderators everywhere!)

On October 5, I discovered a captcha bypass technique and promptly reported
it to the Pastebin staff. They responded on October 7 and said they would
look into it. It's November 27 and they still haven't fixed this (despite
me giving them the solution).

The technique (which is pretty lame and obvious):

   1. Authenticate with a Twitter/Facebook account
   2. Create a new paste
   3. Write something benign that will not trigger their spam filter
   4. Submit
   5. Immediately edit the paste
   6. Replace your benign message with whatever spammy filth you want!

I'm not going to write a script to automate this, but it should be trivial.
If nothing else, you can spare yourself the trouble of solving a captcha
next time you decide to dump IRC logs or your rivals' mail spools and
something happens to contain a hyperlink."

Happy thanksgiving,
Scott Arciszewski

According to Scott the technique to bypass the captcha is pretty lame and obvious and could easily be automated to abuse the Captcha (Security) System.

Source: Techienews

Now, by all means; the vulnerability subjects related to CAPTCHA is nothing new, as you can read in the following articles. I also think that this SPAM-Security-"App" will counter some more in upcoming Future:

Keine Kommentare:

Kommentar veröffentlichen