TWOCrowds.com flickr CAPTCHA test
 |
The article you are reading has moved! It is now available at: http://blog.tinisles.com/2006/10/twocrowds-com-flickr-captcha-test/ |
Noticed on the web somewhere TWOCrowds.com is using the flickr api to create a CAPTCHA test. Looks like they are using the flickr api to pull up a photo tagged with a convention that says "this is a photo of a single letter: r".
Wouldn't this be pretty easy to defeat? The JPG's are being served from flickr - and a named like this: "114556884_45d6dd4ec4_s.jpg". The first part of the filename is the photo id which you can pass to the flick API method flickr.photos.getInfo. Which returns all the tags (among other things) for the image - the "Rr" tag being the convention that says this is a photo of the letter R:
<tags>
<tag id="256536-114556884-484" author="95229107@N00" raw="Paris">paris</tag>
<tag id="256536-114556884-6562" author="95229107@N00" raw="claudecf">claudecf</tag>
<tag id="256536-114556884-17897" author="95229107@N00" raw="letter">letter</tag>
<tag id="256536-114556884-67834" author="95229107@N00" raw="oneletter">oneletter</tag>
<tag id="256536-114556884-6496" author="95229107@N00" raw="letters">letters</tag>
<tag id="256536-114556884-8513" author="95229107@N00" raw="Rr">rr</tag>
</tags>
They could prevent this by not revealing the image names in the HTML - by having their webserver read in the JPG and delivering it with a different filename.
