I once worked for one of the largest media companies in my country and there was a project where they wanted to replace reCaptcha with a partner’s system that made users watch ads and ask a question about the ad instead of typing some hard to read text.
Testing such system, I quickly realized that the captcha part of it could easily be bypassed by anyone with minimal JS knowledge (the answer was available in a global JS var), but the answer would not be accepted by the server unless the entirety of the ad video had been successfully streamed to the video component.
I still remember clearly the response I got when I reported to the PO that the system was unfit due to being easily bypassed with JS:
“no user is gonna be coding anything just to avoid typing the answer on the input”.
Shouldn’t have expected much more from the same company that had me wait for the responsible person to get back from their 1-month vacation when I reported that their customers’ full credit card information was included in the output of a publicly available URL that only required an order ID.
But I later found out that most orders in that particular project were actually made by bots with stolen credit card information (the bots would use this company’s shopping cart to validate which cards were still working so they could use it for something useful afterwards). In the end we were mostly just leaking information that had already been leaked before.
to elaborate on the reference in case you haven’t seen or don’t remember the movie, the scene has the protagonist explaining his job which entails calculating the cost of recalling a line of vehicles versus paying out wrongful death settlements at the rate that said vehicles have a deadly malfunction, and how if the latter is less they just don’t do the recall. spacenoodle is quoting the listener’s response when he finishes, and Atropos is quoting his reply.
Watch Fight Club if you haven’t, it’s an important one.
I once worked for one of the largest media companies in my country and there was a project where they wanted to replace reCaptcha with a partner’s system that made users watch ads and ask a question about the ad instead of typing some hard to read text.
Testing such system, I quickly realized that the captcha part of it could easily be bypassed by anyone with minimal JS knowledge (the answer was available in a global JS var), but the answer would not be accepted by the server unless the entirety of the ad video had been successfully streamed to the video component.
I still remember clearly the response I got when I reported to the PO that the system was unfit due to being easily bypassed with JS:
“no user is gonna be coding anything just to avoid typing the answer on the input”.
Shouldn’t have expected much more from the same company that had me wait for the responsible person to get back from their 1-month vacation when I reported that their customers’ full credit card information was included in the output of a publicly available URL that only required an order ID.
But I later found out that most orders in that particular project were actually made by bots with stolen credit card information (the bots would use this company’s shopping cart to validate which cards were still working so they could use it for something useful afterwards). In the end we were mostly just leaking information that had already been leaked before.
Which company did you say you worked for?
A major one.
… Why did you answer?
It’s a fight club quote
to elaborate on the reference in case you haven’t seen or don’t remember the movie, the scene has the protagonist explaining his job which entails calculating the cost of recalling a line of vehicles versus paying out wrongful death settlements at the rate that said vehicles have a deadly malfunction, and how if the latter is less they just don’t do the recall. spacenoodle is quoting the listener’s response when he finishes, and Atropos is quoting his reply.
Watch Fight Club if you haven’t, it’s an important one.
A Media company owned by Telefonica.
Go on …