Skip to content.

Scott Arciszewski

Software, Privacy, Security, Innovation

Pastebin Captcha Evasion

Posted on: December 24, 2013
Full View (text/plain; charset=UTF-8)

Discovered on October 5, 2013; released on Full Disclosure on November 27, 2013. Posted on December 24, 2013.

  1. Hello all,
  2. After reading an article in Go Null Yourself about abusing PhpBB's
  3. Tell-a-Friend feature a while back, I've kept an eye out for ways to spam
  4. people or bypass a website's flood protection. (Apologies to forum
  5. moderators everywhere!)
  6. On October 5, I discovered a captcha bypass technique and promptly reported
  7. it to the Pastebin staff. They responded on October 7 and said they would
  8. look into it. It's November 27 and they still haven't fixed this (despite
  9. me giving them the solution).
  10. The technique (which is pretty lame and obvious):
  11. 1. Authenticate with a Twitter/Facebook account
  12. 2. Create a new paste
  13. 3. Write something benign that will not trigger their spam filter
  14. 4. Submit
  15. 5. Immediately edit the paste
  16. 6. Replace your benign message with whatever spammy filth you want!
  17. I'm not going to write a script to automate this, but it should be trivial.
  18. If nothing else, you can spare yourself the trouble of solving a captcha
  19. next time you decide to dump IRC logs or your rivals' mail spools and
  20. something happens to contain a hyperlink.
  21. Happy thanksgiving,
  22. Scott Arciszewski

Want to hire Scott Arciszewski as a technology consultant? Need help securing your applications? Need help with secure data encryption in PHP?

Contact Paragon Initiative Enterprises and request Scott be assigned to your project.