Go to Computer World's Sharktank at http://sharkbait.computerworld.com/

Go to any entry and attempt to add a comment as an unregistered user.

Take a look at your captcha text.

I predict you will have the following:

NECXA

It doesn't validate but I always get that as the first captcha text.  The second one is always different, but of course it also doesn't validate.

I've tried this on both IE and FireFox. 

TERMAS here.

My turn to try! Whenever I go to this page, the captcha is always 89703. In fact, the captcha image is a static one, numbers.jpg. And even if it wasn't, that's gotta be the easiest captcha in the world to beat!
 

But did any of your first tries work, and do you always get the same captcha every time you go in fresh?
 

rbowes:

TERMAS here.

My turn to try! Whenever I go to this page, the captcha is always 89703. In fact, the captcha image is a static one, numbers.jpg. And even if it wasn't, that's gotta be the easiest captcha in the world to beat!
 

At least that one works when you go in, but yeah, why have a captcha if it is always the same one. 

mdk:

Filed under: IWonderWhatHappensWhenYouUseAReallyReallyReallyLongTagLetsFindOutIfAnythingBreaksShallWe

Nothing breaks, just falls off the edge.
 

KattMan:

Go to Computer World's Sharktank at http://sharkbait.computerworld.com/

Go to any entry and attempt to add a comment as an unregistered user.

Take a look at your captcha text.

I predict you will have the following:

NECXA

You predict wrong.

Your ISP probably has a really crappy "transparent" cache.

DaveK:

KattMan:

Go to Computer World's Sharktank at http://sharkbait.computerworld.com/

Go to any entry and attempt to add a comment as an unregistered user.

Take a look at your captcha text.

I predict you will have the following:

NECXA

You predict wrong.

Your ISP probably has a really crappy "transparent" cache.

I thought it was caching also, but when I go in the first time it is always the same captcha, after submitting I get a different captcha because the previous failed.  Submitting again still fails and I get another captcha.  Leave the site, shut down the browser and go back, attempt to post again and I get the exact same captcha as I did the first time, there is no pattern to subsequent captchas but the first one on every attempt is the same.

If it were caching, wouldn't it either always be the same or the same as the last one I had? The duplication is always on the first attempt and of course every attempt fails.

KattMan:

I thought it was caching also, but when I go in the first time it is always the same captcha, after submitting I get a different captcha because the previous failed.  Submitting again still fails and I get another captcha.  Leave the site, shut down the browser and go back, attempt to post again and I get the exact same captcha as I did the first time, there is no pattern to subsequent captchas but the first one on every attempt is the same.

If it were caching, wouldn't it either always be the same or the same as the last one I had? The duplication is always on the first attempt and of course every attempt fails.

Possibly because when you go to the form for the first time it's a GET, but when you post a wrong CAPTCHA and it tells you to try again it's a POST? 

iwpg:

KattMan:

I thought it was caching also, but when I go in the first time it is always the same captcha, after submitting I get a different captcha because the previous failed.  Submitting again still fails and I get another captcha.  Leave the site, shut down the browser and go back, attempt to post again and I get the exact same captcha as I did the first time, there is no pattern to subsequent captchas but the first one on every attempt is the same.

If it were caching, wouldn't it either always be the same or the same as the last one I had? The duplication is always on the first attempt and of course every attempt fails.

Possibly because when you go to the form for the first time it's a GET, but when you post a wrong CAPTCHA and it tells you to try again it's a POST? 

Yup, that's it. The "submit comment" page will be cached and with it the URL of the captcha image. Click the "add comment" links on two different articles: You will get two different captchas but the captcha for each article will stay the same.

The real WTF IMO is that the same capcha URL will always produce the same image.
 

PSWorx:

The real WTF IMO is that the same capcha URL will always produce the same image.

That's the worst WTF you can come up with?  The whole point of a CAPTCHA is to be difficult for a machine to understand, but easy for a human being.  I think putting the answer to the CAPTCHA in the URL makes it rather trivial for the machine (indeed, easier than for the human!), entirely defeating the purpose of a CAPTCHA. 

RevEng:

PSWorx:

The real WTF IMO is that the same capcha URL will always produce the same image.

That's the worst WTF you can come up with?  The whole point of a CAPTCHA is to be difficult for a machine to understand, but easy for a human being.  I think putting the answer to the CAPTCHA in the URL makes it rather trivial for the machine (indeed, easier than for the human!), entirely defeating the purpose of a CAPTCHA. 

I was referring to the URL of the captcha image, not the URL of the comment form, so maybe we're talking about the same thing? In any case, where exactly so you see the answer of the captcha in the URL?
The number in it seems to be the only piece of information, the captcha is based on, true, but you still don't know the algorithm they use to generate the captcha from the number. That could be anything after all, from a hash to a table with random letters in it.

So, yeah, if you had seen enough captchas there to associate each number with a captcha string you could solve this captcha automatically, but how do you think you can decode the number "on the fly"? Or did I miss something?

...all that of course not taking into account that any halfway self-respecting OCR software should have no problems reading that thing in anyway... or is the shark background supposed to scare them away? :p
 

any halfway self-respecting OCR software should have no problems reading that thing in anyway... or is the shark background supposed to scare them away?

I took up that glove, save the image, and ran my three-year old copy of ABBYY Finereader on it (came with the PC, at work). Abby has no trouble with, say screenshots from a PDF, but it generated this output from the captcha:

IT   c R   T 

Maybe a new version of better engine might crack it, but I blame the poor result on the lack of resolution. The image doesn't seem very distorted.

KattMan:

Go to Computer World's Sharktank at http://sharkbait.computerworld.com/

Go to any entry and attempt to add a comment as an unregistered user.

Take a look at your captcha text.

I predict you will have the following:

NECXA

It doesn't validate but I always get that as the first captcha text.  The second one is always different, but of course it also doesn't validate.

I've tried this on both IE and FireFox. 

I am guessing that the site puts a cookie on your computer with the captcha id.

http://sharkbait.computerworld.com/?q=_textimage/image/117491988
http://sharkbait.computerworld.com/?q=_textimage/image/1 

Change the last digit to something else and a new image will appear. 

mrsticks1982:

KattMan:

Go to Computer World's Sharktank at http://sharkbait.computerworld.com/

Go to any entry and attempt to add a comment as an unregistered user.

Take a look at your captcha text.

I predict you will have the following:

NECXA

It doesn't validate but I always get that as the first captcha text.  The second one is always different, but of course it also doesn't validate.

I've tried this on both IE and FireFox. 

 

I am guessing that the site puts a cookie on your computer with the captcha id.

http://sharkbait.computerworld.com/?q=_textimage/image/117491988
http://sharkbait.computerworld.com/?q=_textimage/image/1 

Change the last digit to something else and a new image will appear. 

It generates a new catcha sequentially for each post try.

I get a different CAPTCHA even when typing the URL in straight.

It must use the contents of the URL param/a cookie  + your IP address, hashed and reduced appropriately, to produce the CAPTCHA text.

I am guessing the CAPTCHA image returns a cookie which is used to seed the next iteration. If it is completely deterministic then such a sequence would "iterate forward" in sequence starting from those (originating-IP-specific) initial values. Clear your cookies and you get the same sequence.

Get a new DHCP address from your ISP, I bet the sequence is different.

I give up.

SharkBaits CAPTCHA is totally screwed, I'm sure of it, it is not me.  I just tried repeatedly getting a post in and went through something like three dozen attempts.  Yes it is different after each failed attempt even if the first is always the same.

I know it isn't me because now there is a few posts from one other guy describing the issue.  You can occasionally get in but it seems totally random.  Of course you won't see much about this on thier board because if you are haivng an issue, you can't post.

I would love to see their code for this, it is probably riddled with all kinds of WTF's.