Also, if you wanted to particularly target that site's slider for spamming, it isn't hard to do.
"Although a checkbox "check here if you are not a bot" might serve to distinguish between humans and computers, it is not a CAPTCHA because it relies on the fact that an attacker has not spent effort to break that specific form. (Such 'check here' methods are very easy to defeat.) Instead, CAPTCHAs rely on difficult problems in artificial intelligence. In the short term, this has the benefit of distinguishing humans from computers. In the long term, it creates an incentive to advance the state of AI, which the originators of the term view as a benefit in its own right."
That type of thing would probably wind up being way too limited. It has
to be generated and checked by a computer so it's going to tend
towards a pattern and not be arbitrary enough. And as you make it more
convoluted you're probably going to piss off the users more than slow
down spammers.
I'm not sure it will work at all. Bots don't trigger the submit event by clicking a button. They do so by scripted form submission, so if the slider is tied to a simple submit event, it's pointless.
How can you submit a form that has no URL to submit to?
I haven't tried circumventing their form, and maybe they didn't do this, but the basic idea is to store the submission URL in javascript, and assign it to the form only on the slider event.
All that matters is what goes over the wire. The UI doesn't matter. If the data sent has no dynamic component (i.e. the text of a random word-image), then it can be replayed with different inputs.
surely spammers have javascript-enabled spambots by now. i'm sure some of them embed an actual webkit/mozilla/ie rendering engine and just script the interface.
hell, a regular firefox browser with images disabled (for speed) and the selenium plugin installed could probably accomplish a high rate of automated spamming.
The script just sets a hidden input field to a "magic" value once you've moved the slider all the way. If you can write a trivial regexp, you can circumvent their "captcha".
You guys are misunderstanding me, I was referring to bots that autofill any form they come across on hundreds/thousands of sites, not about preventing a direct attack against this site. If someone wrote a bot specific to this site, yes, they'd easily get by it of course.
Spammers are lazy. They like to target lots of sites at once. A post of mine from a few years ago explains the rationale behind one off schemes such as this:
"Spammers are lazy" does kinda work for the multitudes of small-traffic sites out there. Put together some unique or custom validation to keep out spambots and odds are that's all you'll ever need.
The thing is, for big sites like Google or Yahoo that won't work. If Google implemented the slider I'd bet a month's salary that it would be flooded with spammers overnight. The CAPTCHA's they use have been put through the ringer and are proven to work against spammers who are focused and resourceful. By lining the two up like that, the post tries to equivocate big site CAPTCHAs with user-friendly client-side-only validation, but the latter is not even in the same league, much less an alternative. It works for the same reasons "Enter the sum of 3 and 5: ____" would work.
Sorry, I should have been clearer on what I meant. Google/etc CAPTCHAs don't work 100% against anti-CAPTCHA. As those articles suggest it's a fluctuating 80% or so, and obviously an ongoing arms race.
My point was more to the fact that the slider solution wouldn't retain anywhere near the same stats if it were put up against the same level of effort and sophistication spent towards breaking it. It would get solved and then bypassed completely.
Simulating a click and slide is nowhere near as hard as automating, for example, decoding of Google's CAPTCHA. The whole point of a CAPTCHA is to make the automation as hard as possible without making it too hard for a human.
Not really; you might have to do it outside the browser (with OS calls, for example), but it can be scripted. You could probably even swap out the swf and just send back the right answer without having to bother with it.
Selenium doesn't work with Flash/Flex (don't I know it...).
You could use something like Eggplant, though. Or you could decompile the Flash file and fake the communications it sends to the server. The latter is probably the easiest and most scalable method.
In it he mentions the site below which is a some Chinese hacker's page that breaks down a number of common CAPTCHAs and puts a price on them:
http://www.lafdc.com/captcha/
Because they don't care about a spammer joining fb, they have spam prevention system on the publishing and friendship actions. I see the re-captcha very often while publishing stuff (but I'm connected 24/7 to the fb chat with pigdin), also I've heard that people who try to add too many friends in a short period of time, get a message from the spam prevention.
40 comments
[ 3.1 ms ] story [ 75.5 ms ] threadAs far as I know, different CAPTCHAs have different degrees of effectiveness. Google's is among one of the best.
"Although a checkbox "check here if you are not a bot" might serve to distinguish between humans and computers, it is not a CAPTCHA because it relies on the fact that an attacker has not spent effort to break that specific form. (Such 'check here' methods are very easy to defeat.) Instead, CAPTCHAs rely on difficult problems in artificial intelligence. In the short term, this has the benefit of distinguishing humans from computers. In the long term, it creates an incentive to advance the state of AI, which the originators of the term view as a benefit in its own right."
(from wikipedia)
I haven't tried circumventing their form, and maybe they didn't do this, but the basic idea is to store the submission URL in javascript, and assign it to the form only on the slider event.
hell, a regular firefox browser with images disabled (for speed) and the selenium plugin installed could probably accomplish a high rate of automated spamming.
A slider? Really? Yeah, there's no way a script could fake changing the value of a slider.
http://www.nextthing.org/archives/2005/07/16/a-few-upgrades
My own has worked fairly well for me since then.
The thing is, for big sites like Google or Yahoo that won't work. If Google implemented the slider I'd bet a month's salary that it would be flooded with spammers overnight. The CAPTCHA's they use have been put through the ringer and are proven to work against spammers who are focused and resourceful. By lining the two up like that, the post tries to equivocate big site CAPTCHAs with user-friendly client-side-only validation, but the latter is not even in the same league, much less an alternative. It works for the same reasons "Enter the sum of 3 and 5: ____" would work.
- http://securitylabs.websense.com/content/Blogs/2919.aspx
- http://www.cs.sfu.ca/~mori/research/gimpy/
- http://www.zdnet.co.uk/news/security-management/2004/05/06/s...
- http://caca.zoy.org/wiki/PWNtcha
etc. Most of those articles are from several years ago. The state of the art has improved since then.
My point was more to the fact that the slider solution wouldn't retain anywhere near the same stats if it were put up against the same level of effort and sophistication spent towards breaking it. It would get solved and then bypassed completely.
You could use something like Eggplant, though. Or you could decompile the Flash file and fake the communications it sends to the server. The latter is probably the easiest and most scalable method.
In it he mentions the site below which is a some Chinese hacker's page that breaks down a number of common CAPTCHAs and puts a price on them: http://www.lafdc.com/captcha/
javascript:updateSlider1(4);
also: http://blog.facebook.com/blog.php?post=403200567130