« Home | SSL + Man-in-the-Middle » | Charles Proxy » | My SSL-Explorer Questions Answered » | Importing the Geo-Names database into MsSql Server... » | Better Password Management » | Some Things I Currently Think Are Cool » | VMware update » | Trustix + VMware Server » | IE Javascript problem? » | Scott Guthrie's ASP.NET + Atlas Tutorial » 

Saturday, October 28, 2006 

TWOCrowds.com flickr CAPTCHA test

Noticed on the web somewhere TWOCrowds.com is using the flickr api to create a CAPTCHA test. Looks like they are using the flickr api to pull up a photo tagged with a convention that says "this is a photo of a single letter: r".

Wouldn't this be pretty easy to defeat? The JPG's are being served from flickr - and a named like this: "114556884_45d6dd4ec4_s.jpg". The first part of the filename is the photo id which you can pass to the flick API method flickr.photos.getInfo. Which returns all the tags (among other things) for the image - the "Rr" tag being the convention that says this is a photo of the letter R:

        <tag id="256536-114556884-484" author="95229107@N00" raw="Paris">paris</tag>
        <tag id="256536-114556884-6562" author="95229107@N00" raw="claudecf">claudecf</tag>
        <tag id="256536-114556884-17897" author="95229107@N00" raw="letter">letter</tag>
        <tag id="256536-114556884-67834" author="95229107@N00" raw="oneletter">oneletter</tag>
        <tag id="256536-114556884-6496" author="95229107@N00" raw="letters">letters</tag>
        <tag id="256536-114556884-8513" author="95229107@N00" raw="Rr">rr</tag>

They could prevent this by not revealing the image names in the HTML - by having their webserver read in the JPG and delivering it with a different filename.