Good job on changing the registration process... to get around the issue of having the reCAPTCHA hacked... but the random questions are seriously prone to further exploit, especially as there doesn't seem to be that many... I reckon I could hack this in half a day. But I guess you guys already know this.
Is it likely the reCAPTCHA code for vBulletin will be patched soon? I would assume so as it is used heavily all over the world?
Nick I've already PM'd Dani and Happygeek and she said she knew it would be an easy thing to do (which it was) but she was just attempting to stop the software designed to attack ANY Vbullentin forum...
Whatever, her quick solution took me just an hour to exploit. I reckon there must be at least 100 iam############# in the database. If I can do it, then it is quite possible, others with access to lots of machines could add a sh*t load of bogus accounts. I've since stopped the script.
>However you are always welcome to submit your code to Dani for examination and help improve forum...
I'm not going to post the script exploit because it is trivial to do.
The problem is there are only 6 random questions. So all you have to do is build a database of these questions and their answers. What is worse is that these random questions are in plain text in the source code for the registration page.
The other problem is you don't need a valid email address to register. Yeah well we already knew this.
Better would be for Dani to one, increase the number of questions (but I'm sure the non-english speaking users will be affected so she may be reluctant to do so).
Two, at least have the question displayed as an image rather than plain text.
Then the exploit code would have to use a crude image recognition algo. Not cast iron safe but definitely a step better than what it is now.
Anyway the point is, I could potentially add tens of thousands of bogus users to the database in a matter of hours...So imagine what someone who really knew what they were doing could do.
@iamthwee, I like your idea. It is most definitely better than warped or distorted text and I am sure anybody with half a brain cell will be able to distinguish between the pictures, as in their example "click on the cat".
Ok, I'll file this under "trying to help" rather then "spamming the board". So...thanks, I guess?
Now please stop creating new users, because I will take action if you don't. These last 9 days haven't been good for my mood at all. :icon_neutral:
As Davey pointed out, iamthwee proofed that a direct attack is possible. Unfortunately this was a global attack on vBulletins using reCAPTHCHA. I believe that all mods were sitting up to 10 HOURS a day trying to do cleanup over the last couple of days, so I can see why Nick's mood is floundering.