[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Pastebin Captcha Bypass
From: Scott Arciszewski <scott () arciszewski ! me>
Date: 2013-11-28 2:33:06
Message-ID: CAPKwhwvFwTYXuiGjgUSzEz3S_kgta3s8+4+=-iCKjtho+DUWVQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hello all,
After reading an article in Go Null Yourself about abusing PhpBB's
Tell-a-Friend feature a while back, I've kept an eye out for ways to spam
people or bypass a website's flood protection. (Apologies to forum
moderators everywhere!)
On October 5, I discovered a captcha bypass technique and promptly reported
it to the Pastebin staff. They responded on October 7 and said they would
look into it. It's November 27 and they still haven't fixed this (despite
me giving them the solution).
The technique (which is pretty lame and obvious):
1. Authenticate with a Twitter/Facebook account
2. Create a new paste
3. Write something benign that will not trigger their spam filter
4. Submit
5. Immediately edit the paste
6. Replace your benign message with whatever spammy filth you want!
I'm not going to write a script to automate this, but it should be trivial.
If nothing else, you can spare yourself the trouble of solving a captcha
next time you decide to dump IRC logs or your rivals' mail spools and
something happens to contain a hyperlink.
Happy thanksgiving,
Scott Arciszewski
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><div>Hello all,<br><br></div>After reading an article in Go Null \
Yourself about abusing PhpBB's Tell-a-Friend feature a while back, I've kept an eye out \
for ways to spam people or bypass a website's flood protection. (Apologies to forum \
moderators everywhere!)<br> <br></div>On October 5, I discovered a captcha bypass technique and \
promptly reported it to the Pastebin staff. They responded on October 7 and said they would \
look into it. It's November 27 and they still haven't fixed this (despite me giving \
them the solution).<br> <br></div><div>The technique (which is pretty lame and \
obvious):<br><ol><li>Authenticate with a Twitter/Facebook account</li><li>Create a new \
paste</li><li>Write something benign that will not trigger their spam filter</li> \
<li>Submit</li><li>Immediately edit the paste</li><li>Replace your benign message with whatever \
spammy filth you want!</li></ol><p>I'm not going to write a script to automate this, but it \
should be trivial. If nothing else, you can spare yourself the trouble of solving a captcha \
next time you decide to dump IRC logs or your rivals' mail spools and something happens to \
contain a hyperlink.<br> </p><p>Happy thanksgiving,</p><p>Scott Arciszewski<br></p></div></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic