Hacker News new | comments | show | ask | jobs | submit login

here is the challenge I got when I signed up for the service: http://imgur.com/x5hoN.png

for the solution I put in 'stupid', and it worked

this definitely doesn't solve the security considerations that captchas were designed for.

Update: Ok so it didn't take long to break this thing. These guys have the plain text of the CAPTCHA in the document DOM. It isn't even an image - the CAPTCHA is rendered in javascript. See: http://imgur.com/9VO4J.png

The 'brand' logos are an image, but they are simple to OCR.

So to break this CAPTCHA, simply hook v8 up to your auto-submit bot and interpret the JS that is being returned to you. You can't read it from the client because they serve that IFRAME from a diff domain - so they base their security on the browser x-domain policy. But that is all moot if you are building a bot, or if you build a browser extension that solves these things.

And since this CAPTCHA isn't secure at all, they'll remove the security element altogether, making it a more annoying version of a banner ad.

Applications are open for YC Winter 2018

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact