IOI Properties: this is not how you use captcha

Like many other property developers, IOI properties put up an registration form on their website to collect user data. Unlike many, they do have a sense of security, as they have this extra captcha things that many other developers’ website lack of. www.ioiproperties.com.my puterisepang Registration.aspxhttp://www.ioiproperties.com.my/puterisepang/Registration.aspx Captcha is a technology to generate human readable text into an image format, where it can not be easily analyse by robot (a piece of programming script). This help to ensure submitted data come from genuine human user as they will have to reinsert this text along with the submission; Definitely one of the effective methods to stop spam and is widely use by big sites like facebook, google, yahoo. However, this IOI captcha is a wrong implementation. Not only totally useless, vulnerable to attack, but also shows the lack of understanding from its creator. IOI captcha is not dynamic generated! It is just a collection of static images. Their system just randomly select one to display. For example: 191 http://www.ioiproperties.com.my/jcap/cimg/191.jpg 1 http://www.ioiproperties.com.my/jcap/cimg/1.jpg 7 http://www.ioiproperties.com.my/jcap/cimg/7.jpg 106 http://www.ioiproperties.com.my/jcap/cimg/106.jpg This kind of bug is very dangerous, as it gave people a false sense of security. Attacker just need to download the whole set of 191 images and create a dictionary as below, next analyse the webpage html to acquire the image source url, then he can easily spam the system:
  • 191.jpg – good
  • 1.jpg – polish
  • 7.jpg – soap
In fact, there are many free and opensource captcha services available online. For example: http://www.captcha.net/. Programmer should have no excuse for not using it. Note: I am and will not be responsible for any attacked to the site caused by this article.