Vielmond wrote:The spambots are onto us. The version of reCAPTCHA used here isn't a good protection. It should look like this:
instead of the home address number alone. Google uses what users input to figure out those addresses in Street View. That means that they trust what the user inputs to some extent—they'll occasionally accept random numbers as valid. Even if they only let pass, let's say, 1 in 100 attempts, it's troublesome, because Permanoobs has another issue: sid.
Curiously, we have discussed another issue generated by the sid use in another thread. In registrations case, that's what happens: After X incorrect attempts the registration system should block you from trying for a considerable amount of time. However, since Permanoobs is unable to set cookies and sessions this can be instantly bypassed. All you need to do is erase the sid from the URL bar and keep trying. That means spambots can attack Permanoobs 24/7. Quick math:
Let's say they succeed in only 1% of their attempts to guess the captcha, and try once every 2 seconds: (86400s / 2) / 100 = 432 new fake profiles per day. They don't even need so many profiles to become the pain they are.
Looking at the members list it seems they register 5-85 profiles per day, and each profile creates 5 threads before being discarded. Those spambots identified this vulnerability and are now happily exploiting it. They won't stop until actions are taken.
The solution would be: 1. Use another captcha plugin, or the double reCAPTCHA version, or even the new reCAPTCHA 2.0. Permanoobs uses phpBB, I'm sure there are some readily available for download. 2. Fix sid issue. That would add an extra layer of security by requiring an extra step from bots to bypass the system blocks. Bots pick the easiest targets, don't be the lowest hanging fruit and they'll seek an easier target to bother.
chazillah wrote:i tried looking into this but i have no idea how i can update the captcha. i will let the seal know but i also know he's super busy right now.
(maybe you want to help me look into it?)
it was such a pain in the arse deleting all those threads lol
Sure, sent you a PM. I can only imagine how annoying it is to hunt down those threads; and it's even worse once you realize those Fifa coins profiles don't create obvious spam threads, they post random answers like "i don't know" on existing legit threads. Sneaky bastards.
Users browsing this forum: No registered users and 2 guests