- 191.jpg – good
- 1.jpg – polish
- 7.jpg – soap
- …
IOI Properties: this is not how you use captcha
Like many other property developers, IOI properties put up an registration form on their website to collect user data.
Unlike many, they do have a sense of security, as they have this extra captcha things that many other developers’ website lack of.
http://www.ioiproperties.com.my/puterisepang/Registration.aspx
Captcha is a technology to generate human readable text into an image format, where it can not be easily analyse by robot (a piece of programming script). This help to ensure submitted data come from genuine human user as they will have to reinsert this text along with the submission; Definitely one of the effective methods to stop spam and is widely use by big sites like facebook, google, yahoo.
However, this IOI captcha is a wrong implementation. Not only totally useless, vulnerable to attack, but also shows the lack of understanding from its creator.
IOI captcha is not dynamic generated! It is just a collection of static images. Their system just randomly select one to display. For example:
http://www.ioiproperties.com.my/jcap/cimg/191.jpg
http://www.ioiproperties.com.my/jcap/cimg/1.jpg
http://www.ioiproperties.com.my/jcap/cimg/7.jpg
http://www.ioiproperties.com.my/jcap/cimg/106.jpg
This kind of bug is very dangerous, as it gave people a false sense of security. Attacker just need to download the whole set of 191 images and create a dictionary as below, next analyse the webpage html to acquire the image source url, then he can easily spam the system: