So the default MyBB Captcha (I use NoCaptcha-Recaptcha) when you right click and get image url you'll get [siteurlhere]/captcha.php?imagehash=[imagemd5hashishere]. That being said what is stopping a spambot developer from including a built in hash cracker (or worse using a precomputed list of hashes so it only has to select a hash and get the value from a file)? With enough time and effort it'd make bruteforcing admin logins a breeze. Why was this done? I am very concerned.
(2016-06-27, 01:00 AM)MyZeus Wrote: [ -> ] (2016-06-26, 10:17 PM)Devilshakerz Wrote: [ -> ]The imagehash serves only as an identifier and is not related to the challenge text:
https://github.com/mybb/mybb/blob/mybb_1...a.php#L164
So it's not a hash of the image text?
Correct. It's the hash of a random_str() call, which is not the same as the text.
(2016-06-27, 04:36 AM)Josh H. Wrote: [ -> ] (2016-06-27, 01:00 AM)MyZeus Wrote: [ -> ] (2016-06-26, 10:17 PM)Devilshakerz Wrote: [ -> ]The imagehash serves only as an identifier and is not related to the challenge text:
https://github.com/mybb/mybb/blob/mybb_1...a.php#L164
So it's not a hash of the image text?
Correct. It's the hash of a random_str() call, which is not the same as the text.
Alright thanks for clearing that up.