A captcha (an acronym for "completely automated public Turing test to tell computers and humans apart") is a type of challenge-response test used in computing to determine whether or not the user is human. One such test is utilized by Yahoo to prevent SPAMers from creating accounts for the sole purpose of sending through Yahoo SPAM. The system used by Yahoo has been found to contain a flaw that would allow a SPAMer to solve this Turing test once, and utilize the solution for any future requests for new accounts he does.
Whilst Tom tried to write an OCR program to solve visual captchas or "word verification" tests as they are called by online services, Tom noticed that with Yahoo the online forms which the captchas were trying to protect from bots could be submitted just by solving one image and changing the ".SecData" POST variable to the image name without it's extension. This means of course that a bot would not need to solve the captcha, which is quite a challenge at present.
This means that solving just this test:
<INPUT type="hidden" name=".SecData" value="akasdmfhugfcvwenecjeeve--">
And then submitting it to any future request done to Yahoo would bypass the problem posed by the Word Verification System used.
Tom contacted Yahoo about this issue and has received no reply. At the moment he doesn't have an idea of the scale of the problem of mass account holding so he is not sure if this warrants "a fix". The problem must have been serious enough to warrant measures to be taken against it. Yahoo cannot be the only website using this technology, so what other sites could be vulnerable? Online E-mail providers, Banks, Shops?
Mozilla Browser Address Bar Spoofing Weakness
Mozilla Firefox 0.x
A weakness has been reported in Mozilla, allowing malicious people to
conduct phishing attacks.
The weakness is caused due to an error within the handling of URLs.
This can be exploited to potentially trick users into supplying
sensitive information to a malicious web site, because information
displayed in the address bar can be constructed in a certain way,
which may lead users to believe that they're visiting another web
site than the displayed web site.