Captcha Backdoor Vulnerability in Pastebin discovered

A Security Researcher has discovered a captcha bypass vulnerability in Pastebin and has decided for full disclosure as the online pasting tool has failed to resolve the issue even after multiple reminders.

Scott Arciszewski discovered the vulnerability on October 5th 2013 and contacted Pastebin immediately.

The team replied back to him in two days and assured the vulnerability will be reviewed. However, till the response team failed to respond back or patch the vulnerability following which Arciszewski decided to go for a full disclosure.

Scott Arciszewski noted in a mail to full disclosure mailing list:

"Hello all,

After reading an article in Go Null Yourself about abusing PhpBB's

Tell-a-Friend feature a while back, I've kept an eye out for ways to spam

people or bypass a website's flood protection. (Apologies to forum

moderators everywhere!)

On October 5, I discovered a captcha bypass technique and promptly reported

it to the Pastebin staff. They responded on October 7 and said they would

look into it. It's November 27 and they still haven't fixed this (despite

me giving them the solution).

The technique (which is pretty lame and obvious):

   1. Authenticate with a Twitter/Facebook account

   2. Create a new paste

   3. Write something benign that will not trigger their spam filter

   4. Submit

   5. Immediately edit the paste

   6. Replace your benign message with whatever spammy filth you want!

I'm not going to write a script to automate this, but it should be trivial.

If nothing else, you can spare yourself the trouble of solving a captcha

next time you decide to dump IRC logs or your rivals' mail spools and

something happens to contain a hyperlink."

Happy thanksgiving,

Scott Arciszewski

According to Scott the technique to bypass the captcha is pretty lame and obvious and could easily be automated to abuse the Captcha (Security) System.

Source: Techienews

Now, by all means; the vulnerability subjects related to CAPTCHA is nothing new, as you can read in the following articles. I also think that this SPAM-Security-"App" will counter some more in upcoming Future:

• Bypassing CAPTCHAs by Impersonating CAPTCHA Provider by McAfee
• Attacking CAPTCHAs for Fun and Profit by McAfee
• Captcha Cracked again by Allspammedup
• Cosine Security Blog