Looks like someone figured out how to game the Reddit system. This probably has been done before, but as far as we know nobody’s actually shared the methods in detail. [Esrun] wrote some scripts that allow him to register multiple accounts and use them to up-vote stories.
The hack goes something like this. A script registers a group of accounts. Each uses a different IP and the only part that requires intervention is typing in the Captcha. This doesn’t take long. You can see the script interface above as well as a demonstration video after the break.
Once the accounts have been acquired a story is submitted and the new accounts vote on it. They’re not all up-votes though, as having both up and down votes puts the article into the controversial section of Reddit (which is desirable), and doesn’t rouse as much suspicion from the moderators. He ran a few tests that he shares and it seems that as long as the article is interesting, this can be quite successful.
Great, more spam with our social media please.
Continue reading “Reddit hacking for votes and profit”
[PT] tipped us off about a new way to screen bots from automatically leaving comments. Resisty is like CAPTCHA but it requires you to decipher color bands on a resistor instead of mangled text. This won’t do much for the cause of digitizing books, but if you can never remember your color codes this is a good way to practice. Resisty comes as a plug-in for WordPress, add it to your blog and for a geek cred +1.
Google has acquired reCAPTCHA and plans to use the system for digitizing books. Wait… what? CAPTCHA is the method of requiring a user to type in a visually obscured word to prove they are human. How can this digitize books? The answer is a bit obscure and takes some time to discover, but you’ll have fun along the way. Continue reading “Are you human? Then type out this book”
We reported last week that D-Link was adding captchas to their routers to prevent automated login by malware. Unsurprisingly, it doesn’t work all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA configuration. Once activated, any nearby client can request the WPA key using a tool like WPSpy. Only user level credentials are needed to pull this off, so changing just the admin password won’t prevent it.
UPDATE: [John Resig] explained of how it works.