Sonys CAPTCHA tests store characters in plain text

first_imgThe whole point of a CAPTCHA is to obfuscate letters and numbers so only a human can infer what they really are. That human’s input is compared to an encrypted or hidden hash that verifies whether the characters were correctly typed or not. If they weren’t, then access to the desired information or service is blocked.It’s a simple system, but one that works well enough that most websites use them in some form. However, Sony decided do away with the whole encrypting or hiding of the hash entirely, and stores the CAPTCHA characters in plain text, accessible through the page’s source.AdChoices广告Over at Google+, Andrew Hintz found that a simple regex was all that was required to reveal the characters in the CAPTCHAs on Sony’s pages. Not only does this render them completely useless in weeding out bots, but it also puts whatever data is behind the CAPTCHA at risk if the other information required to get past it is somehow made available.It’s unlikely that a CAPTCHA is used to protect sensitive information, but it does show us that Sony may not have completely reformed its somewhat lax attitude towards online security. Hintz is familiar with CAPTCHAs, and how they tend to be more of an annoyance for their users than a useful security tool. He’s written CAPTCHA breakers that reverse the most common image filters used to obscure characters.What’s sad in this case is that one of those applications isn’t even required to get past the CAPTCHAs Sony uses on its site. All you have to do is right-click and look at the page source, and then dig just below the surface. Even worse, the JavaScript used to display and verify the CAPTCHA is well commented. This would normally be a great thing – every developer should comment his or her code – but in this case the comments reveal how the function is generating the CAPTCHA, perfect information for programming a bot to harvest the characters and input them.Read more at Google+last_img read more