0

Thanks to Dani for changing the sign up process.:)

Thanks to all the mods that reacted on the reported spam.:)

Thanks to everyone for keeping Daniweb what it is, an IT discussion community.:)

0

Wow 300 spam posts a day. That's tedious.

Good job on changing the registration process... to get around the issue of having the reCAPTCHA hacked... but the random questions are seriously prone to further exploit, especially as there doesn't seem to be that many... I reckon I could hack this in half a day. But I guess you guys already know this.

Is it likely the reCAPTCHA code for vBulletin will be patched soon? I would assume so as it is used heavily all over the world?

Good luck Daniweb.

Edited by iamthwee: n/a

0

In fact it's even easier to hack than I thought.

I could do this in an hour... I will attempt to prove this by creating 5000 bogus email accounts as proof.

0

I will attempt to prove this by creating 5000 bogus email accounts as proof.

Someone's going to hate your guts...;)

That would be me.

0

>> The posts that are weird writing, are they spam?

Depends on what you call weird writing. Spam usually has a link in it.

That different language jiberish

0

Just testing my script...

It successfully registers one new user every ten seconds.

All users I have created begin with the username 'iam.'

Theoretically, if I were to load this script onto 1000 pc at my network at uni that's...

1 user every 10 seconds x 1000

1000 users ever ten seconds... Well! I will try it out tomorrow.

Edited by iamthwee: n/a

3

>> Well! I will try it out tomorrow.

If you do so, I'll permaban your ass.

Votes + Comments
Go ninja, go ninja, go!
0

>If you do so, I'll permaban your ass.

Nick I've already PM'd Dani and Happygeek and she said she knew it would be an easy thing to do (which it was) but she was just attempting to stop the software designed to attack ANY Vbullentin forum...

Whatever, her quick solution took me just an hour to exploit. I reckon there must be at least 100 iam############# in the database. If I can do it, then it is quite possible, others with access to lots of machines could add a sh*t load of bogus accounts. I've since stopped the script.

>However you are always welcome to submit your code to Dani for examination and help improve forum...

I'm not going to post the script exploit because it is trivial to do.

The problem is there are only 6 random questions. So all you have to do is build a database of these questions and their answers. What is worse is that these random questions are in plain text in the source code for the registration page.

The other problem is you don't need a valid email address to register. Yeah well we already knew this.

Better would be for Dani to one, increase the number of questions (but I'm sure the non-english speaking users will be affected so she may be reluctant to do so).

Two, at least have the question displayed as an image rather than plain text.

Then the exploit code would have to use a crude image recognition algo. Not cast iron safe but definitely a step better than what it is now.

Anyway the point is, I could potentially add tens of thousands of bogus users to the database in a matter of hours...So imagine what someone who really knew what they were doing could do.

Edited by iamthwee: n/a

0

@iamthwee, I like your idea. It is most definitely better than warped or distorted text and I am sure anybody with half a brain cell will be able to distinguish between the pictures, as in their example "click on the cat".

0

@iamthwee:

Ok, I'll file this under "trying to help" rather then "spamming the board". So...thanks, I guess?
Now please stop creating new users, because I will take action if you don't. These last 9 days haven't been good for my mood at all. :icon_neutral:

0

Ok, I'll file this under "trying to help" rather then "spamming the board". So...thanks, I guess?

Now please stop creating new users, because I will take action if you don't. These last 9 days haven't been good for my mood at all.

Sorry about that.

Yep, I've eradicated the script now.

If you wanna do a quick query to clear up the user accounts.

All users start iam + 13 digit random number.
All users I have created have the password 'iamthwee.'

I just wanted to highlight the massive potential devastation you could cause.

Ciao.

0

As Davey pointed out, iamthwee proofed that a direct attack is possible. Unfortunately this was a global attack on vBulletins using reCAPTHCHA. I believe that all mods were sitting up to 10 HOURS a day trying to do cleanup over the last couple of days, so I can see why Nick's mood is floundering.

Enjoy the new clean up from iamthwee Nick.:)

0

>> Enjoy the new clean up from iamthwee Nick

Thanks. The only possibility for me is to remove them one at a time... So I'll leave 'em for now :)

Edited by Nick Evan: n/a

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.