lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAPKwhwvFwTYXuiGjgUSzEz3S_kgta3s8+4+=-iCKjtho+DUWVQ@mail.gmail.com>
Date: Wed, 27 Nov 2013 21:33:06 -0500
From: Scott Arciszewski <scott@...iszewski.me>
To: full-disclosure@...ts.grok.org.uk
Subject: Pastebin Captcha Bypass

Hello all,

After reading an article in Go Null Yourself about abusing PhpBB's
Tell-a-Friend feature a while back, I've kept an eye out for ways to spam
people or bypass a website's flood protection. (Apologies to forum
moderators everywhere!)

On October 5, I discovered a captcha bypass technique and promptly reported
it to the Pastebin staff. They responded on October 7 and said they would
look into it. It's November 27 and they still haven't fixed this (despite
me giving them the solution).

The technique (which is pretty lame and obvious):

   1. Authenticate with a Twitter/Facebook account
   2. Create a new paste
   3. Write something benign that will not trigger their spam filter
   4. Submit
   5. Immediately edit the paste
   6. Replace your benign message with whatever spammy filth you want!

I'm not going to write a script to automate this, but it should be trivial.
If nothing else, you can spare yourself the trouble of solving a captcha
next time you decide to dump IRC logs or your rivals' mail spools and
something happens to contain a hyperlink.

Happy thanksgiving,

Scott Arciszewski

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ