Monthly Archives: January 2014

IOI Properties: this is not how you use captcha

Like many other property developers, IOI properties put up an registration form on their website to collect user data. Unlike many, they do have a sense of security, as they have this extra captcha things that many other developers’ website lack of. www.ioiproperties.com.my puterisepang Registration.aspxhttp://www.ioiproperties.com.my/puterisepang/Registration.aspx Captcha is a technology to generate human readable text into an image format, where it can not be easily analyse by robot (a piece of programming script). This help to ensure submitted data come from genuine human user as they will have to reinsert this text along with the submission; Definitely one of the effective methods to stop spam and is widely use by big sites like facebook, google, yahoo. However, this IOI captcha is a wrong implementation. Not only totally useless, vulnerable to attack, but also shows the lack of understanding from its creator. IOI captcha is not dynamic generated! It is just a collection of static images. Their system just randomly select one to display. For example: 191 http://www.ioiproperties.com.my/jcap/cimg/191.jpg 1 http://www.ioiproperties.com.my/jcap/cimg/1.jpg 7 http://www.ioiproperties.com.my/jcap/cimg/7.jpg 106 http://www.ioiproperties.com.my/jcap/cimg/106.jpg This kind of bug is very dangerous, as it gave people a false sense of security. Attacker just need to download the whole set of 191 images and create a dictionary as below, next analyse the webpage html to acquire the image source url, then he can easily spam the system:
  • 191.jpg – good
  • 1.jpg – polish
  • 7.jpg – soap
In fact, there are many free and opensource captcha services available online. For example: http://www.captcha.net/. Programmer should have no excuse for not using it. Note: I am and will not be responsible for any attacked to the site caused by this article.

MAS Enrich system down

Got this invitation email from HleBroking to register MAS Enrich for FREE and earn point while trading. The URL is http://www.enrich.malaysiaairlines.com/EnrichWebsite/NewMember.jsp  However, after filling long registration form, on the final stage when submit, the site response with HTTP 500 error.  It appear that an error.jsp file was not found. MAS share price already drop into deep shit, required government funding to help almost every year, and yet they can’t get a membership system done correctly.   mas

IOS App Icon

Today I asked my designer to give me an icon for our new IOS app that is waiting to publish to apple store. Next, he come back to me with this: thumbnail