Pastebin Captcha Bypass

[Scott Arciszewski <scott () arciszewski me>]

Hello all,

After reading an article in Go Null Yourself about abusing PhpBB's
Tell-a-Friend feature a while back, I've kept an eye out for ways to spam
people or bypass a website's flood protection. (Apologies to forum
moderators everywhere!)

On October 5, I discovered a captcha bypass technique and promptly reported
it to the Pastebin staff. They responded on October 7 and said they would
look into it. It's November 27 and they still haven't fixed this (despite
me giving them the solution).

The technique (which is pretty lame and obvious):

   1. Authenticate with a Twitter/Facebook account
   2. Create a new paste
   3. Write something benign that will not trigger their spam filter
   4. Submit
   5. Immediately edit the paste
   6. Replace your benign message with whatever spammy filth you want!

I'm not going to write a script to automate this, but it should be trivial.
If nothing else, you can spare yourself the trouble of solving a captcha
next time you decide to dump IRC logs or your rivals' mail spools and
something happens to contain a hyperlink.

Happy thanksgiving,

Scott Arciszewski

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/