The Barscape forum’s registration system has a non-fatal security flaw. While it can show a confirmation code as a PNG formatted image, the image itself is based on image data that is hard-coded and released as open software. Therefore, it is trivial for script writers to detect which letters/numbers are embedded within a confirmation code image by looking for these pre-defined data regions. Every week, I have to go in and delete 3-7 fake, script-inserted users from the system. As the Barscape forum has a limited audience, this is not a problem. However, it is a pain.

Confirmation codes are useful tools to filter out human browsers from robot scripts. However, one must make it very difficult for the robot processes to decipher the confirmation codes while making it easy for the human registrants. Here are some of my ideas:

1) Embed multiple confirmation code graphics in the web page, but set the style sheets such that only one is visible.

This will make things more difficult for the robots as they will see more than one graphic embedded in the XHTML, while the human users will only see one. Set the server to add the IP address of the bot into an auto-kill file if the code entered matches one of the hidden codes. While a human may inadvertantly enter an invalid code that matches one of the hidden codes, the odds are very low. We don’t want to penalize the human user if they make a mistake, but we do want to slam the door shut on robots.

Making the fake confirmation codes hidden will take some trickery. It would be easy, say, for a robot script to tell which of the following codes was valid:

img class="hide_me" src="confirmation_code_1.png"
img class="show_me" src="confirmation_code_2.png"
img class="hide_me" src="confirmation_code_3.png"

Even if one were to obfuscate the names of the img classes, any script writer worth their salt could access the CSS and parse out which classes contained the “visibility: hidden” property.

One way to get around this would be to use DHTML and show one of the confirmation codes after the page has been loaded. Essentially, download all of the codes as hidden, then show one after the page has been loaded. Unless the script can run/parse Javascript, and some may, it might be enough to stop all but the more sophisticated scripts.

2) Display multiple confirmation codes with a different shaded background

Using the above idea, we simply create confirmation code graphics with different background tones and display them all. Then, we ask the user to select the “red” tone. The drawbacks to this idea is that colorblind people may not choose the correct one, while scripts can probably use image recognition to look for a prevalent background color.

3) Use transparent overlays to create the visual graphic.

Or, as I shall call it, the Old Man of the Mountain trick. New Hampshire’s ex-landmark, the Old Man of the Mountains, was a visual effect caused by granite ledges which, when seen from the side, formed a facial profile. The ledges themselves were not one on top of the other when see head on, though.

With this trick, we create several transparent images, using GIFs or PNGs, (or both, why make it simple) and fix it so that they all overlap each other, forming letters/numbers/symbols as a visual effect to be recognized by a human user. From a script point of view, each image by itself would have no recognizable symbolic features. In order to figure it out, the script would have to include some image management code in order to construct the overriding image as a sum of its individual image snippets, and it still might not figure it out. While possible, the script would need some horsepower to run, which is fine by me.

4) Use Javascript onMouseOver

If we couple some kind of browser-based human interaction, we can adjust our transparent overlay images on the fly. By forcing a user to place the mouse cursor over the scrambled confirmation code, we can adjust the images offsets and/or background repeat characteristics to change the visual effect from garbage to a valid confirmation code.

—

These are just a few ideas that I’ll be toying with over the next few days.

This entry was posted on Monday, November 13th, 2006 at 7:21 pm and is filed under Hackery. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.