MyBB Hacks

Full Version: Lol @ MyBB 1.6.5 hidden "CAPTCHA"
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
It seems MyBB 1.6.5 is trying to be a little more resistant to spam.
Some measure seem good, others are questionable.  Overall it probably won't really do much, though I guess every bit helps.

One thing I do wonder about is this "hidden CAPTCHA" thing they've introduced.  Despite the fact this is nothing like a CAPTCHA, I'm really not sure how they think an additional setting will really make it harder for spambots to get through.

member_register_hiddencaptcha template

HTML Code
<tr style="display: none;">
	<td colspan="2" id="{$captcha_field}_status">Leave this field empty: <input type="text" class="textbox" name="{$captcha_field}" id="{$captcha_field}" style="width: 100%" maxlength="50" value="" /></td>
</tr>


Existing spambot applications may need to be slightly tweaked to get around this.  But as this is a forum system level thing, it's likely they'll do it - the only issue being when (not if).
The absurd part is that the name of the field can be changed.  This is pretty much completely pointless - at most it makes the regex slightly tricker to write.  And the code to get around it is much smaller than the code to implement all of this.

Well written spambots should automatically be able to bypass this anyway.  If I were writing a bot, I'd automatically do something similar to:

PHP Code:
$data = preg_replace('~\<([a-z0-9]+)(?:\s+|\s[^>]+\s)style\=([\'"])display\:\s*none;?\\2(?:\s[^>]*)?\>.*?\</\\1\>~i', '', $data);

(regex not deemed to be perfect, but if I wanted to do a 60 second fix to my spambot, this is probably what I'd do)
before trying to parse the <input> tags on the page.
So really, I don't give a damn what you name the field, this spambot bypasses it all without issue.

Not too sure why there's a setting to enable/disable this either, unless it's to get around the template updater not properly inserting the variable, although this won't really have any detrimental effect.


Other thing I'd like is a properly extendable CAPTCHA class (hint: interfaces), not some poorly designed OOP concept.

I've gotten 21 registrations at LL that I have a sneaky suspicion are spammers, but because none of them have posted yet (or maybe the Bad Behavior plugin I installed prevents them?), I can't do nothing about them. Tongue If they were genuine, I think they would have posted by now.
I've had plenty of (legit) registrations in the past who never post.  TBH, I'm not too sure why a lot of people do it - maybe it's for the ability to change settings or remember read threads, or maybe they intended to post, but changed their mind later on.

You can check if they've filled in their signature or website - if so, a good possibility of a spammer.
I've blocked sigs for those under 10 posts. Don't want to deal with hassle of signature spam.
I added a security questions to my site and spam registrations have stopped.  I know it's not the best fix but it indeed has helped.
Reference URL's