Topic: 0 (Read 486 times)
They can...? What's the issue?
The first time you log in with the captcha, grab your bypass captcha code and can use that link to log in (to your account) anywhere without having to fill the captcha ever again.
Yeah get that, im talking about quoted msg from posi. and i try to open then link profided. i just though since no capthca there i can login, turn out its show as invalid code when im using my username and password.The first time you log in with the captcha, grab your bypass captcha code and can use that link to log in (to your account) anywhere without having to fill the captcha ever again.
Yeah get that, im talking about quoted msg from posi. and i try to open then link profided. i just though since no capthca there i can login, turn out its show as invalid code when im using my username and password.
If the code "xxxxxxxxxxxxxccxcxxxx" in his example was someone's bypass-captcha code, you would be able to log in with (and only) that account w/o a captcha. 
They can...? What's the issue?
The first time you log in with the captcha, grab your bypass captcha code and can use that link to log in (to your account) anywhere without having to fill the captcha ever again.
Yeah get that, im talking about quoted msg from posi. and i try to open then link profided. i just though since no capthca there i can login, turn out its show as invalid code when im using my username and password. The first time you log in with the captcha, grab your bypass captcha code and can use that link to log in (to your account) anywhere without having to fill the captcha ever again.
well, look like everyone can login without captcha then. i try to open this at incognito and i dont see any captcha.
They can...? What's the issue?The first time you log in with the captcha, grab your bypass captcha code and can use that link to log in (to your account) anywhere without having to fill the captcha ever again.
This only works if you're logging with your account's bypass-captcha code.
Suchmoon understand the vulnerability I'm talking about and the same thing still applied after the code was created. Go to the link provided by OP this is what you'll get
well, look like everyone can login without captcha then. i try to open this at incognito and i dont see any captcha. Quote
You can bypass the CAPTCHA on the login page by bookmarking this link and using it to login:
https://bitcointalk.org/index.php?action=login;ccode=xxxxxxxxxxxxxccxcxxxx
This link is unique to your account. You cannot use it with other accounts. It only works on the login page.
If someone else gains access to your unique captcha-bypass link, then they could try to brute-force your password. In that case, you should reset it:
https://bitcointalk.org/index.php?action=login;ccode=xxxxxxxxxxxxxccxcxxxx
This link is unique to your account. You cannot use it with other accounts. It only works on the login page.
If someone else gains access to your unique captcha-bypass link, then they could try to brute-force your password. In that case, you should reset it:
edit: oh fuck silly me, just try to login and it says invalid code
but you need to be aware of the vulnerability involve if the code leak out.
What vulnerability?
Someone could bruteforce your password.
As they could before the code was created. The code does not decrease security in any way.
Quote
You can bypass the CAPTCHA on the login page by bookmarking this link and using it to login:
https://bitcointalk.org/index.php?action=login;ccode=xxxxxxxxxxxxxccxcxxxx
This link is unique to your account. You cannot use it with other accounts. It only works on the login page.
If someone else gains access to your unique captcha-bypass link, then they could try to brute-force your password. In that case, you should reset it:
https://bitcointalk.org/index.php?action=login;ccode=xxxxxxxxxxxxxccxcxxxx
This link is unique to your account. You cannot use it with other accounts. It only works on the login page.
If someone else gains access to your unique captcha-bypass link, then they could try to brute-force your password. In that case, you should reset it:
Am I stupid or something? What’s stopping them from using their own code to brute force an account?
Codes are unique to each account. If you use your code on a different account you get "Invalid ccode" even if you enter the correct password.
As they could before the code was created. The code does not decrease security in any way.
But there is a captcha on every attempt. Imagine bruteforcing an password and having to fill Google’s reCAPTCHA every single time. Impossible.If someone finds your code, they can try thousands of combinations in seconds.
I checked the stay logged in option during login to avoid re-logging in and completing captcha everytime
is there also a security risk having my account always stay logged in? I think it's been over a year+
If someone manages to log in to your wallet, they will be able to stay logged in forever (until you log in with a specific expire time, which will log out everyone).is there also a security risk having my account always stay logged in? I think it's been over a year+
Also, if someone gets your browser cookies, they can spoof your session and stay logged.
That’s all I’ve noticed.
If someone finds your code, they can try thousands of combinations in seconds.
I checked the stay logged in option during login to avoid re-logging in and completing captcha everytime is there also a security risk having my account always stay logged in? I think it's been over a year+
Without a comprised database, wouldn't the forum firewall limit you to one attempt per second on average?
Maybe... but in that case, wouldn’t you be able to use multiples IPs to make multiple consecutive tries. 
As they could before the code was created. The code does not decrease security in any way.
But there is a captcha on every attempt. Imagine bruteforcing an password and having to fill Google’s reCAPTCHA every single time. Impossible.If someone finds your code, they can try thousands of combinations in seconds.
Without a comprised database, wouldn't the forum firewall limit you to one attempt per second on average?
but you need to be aware of the vulnerability involve if the code leak out.
What vulnerability?
Someone could bruteforce your password.
As they could before the code was created. The code does not decrease security in any way.
As TryNinja said, it allows to do it much cheaper and quicker. However, with a strong password the chance of that happening is still much lower than the chance of buses and chimneys making me go insane, so I don't hesitate to use it.
Don't forget the reset button as it helps to generate a new bypass link and disable/remove the old one.
So if you don't want your account to be compromised use the reset button whenever you log out and it's a good practice to keep your account safe.
but you need to be aware of the vulnerability involve if the code leak out.
What vulnerability?
Someone could bruteforce your password.
As they could before the code was created. The code does not decrease security in any way.
As TryNinja said, it allows to do it much cheaper and quicker. However, with a strong password the chance of that happening is still much lower than the chance of buses and chimneys making me go insane, so I don't hesitate to use it.
As they could before the code was created. The code does not decrease security in any way.
But there is a captcha on every attempt. Imagine bruteforcing an password and having to fill Google’s reCAPTCHA every single time. Impossible.If someone finds your code, they can try thousands of combinations in seconds.
but you need to be aware of the vulnerability involve if the code leak out.
What vulnerability?
Someone could bruteforce your password.
As they could before the code was created. The code does not decrease security in any way.
but you need to be aware of the vulnerability involve if the code leak out.
What vulnerability?
Someone could bruteforce your password.
but you need to be aware of the vulnerability involve if the code leak out.
What vulnerability?
I mean it's super great system. Thank you for making it !!!
https://bitcointalk.org/captcha_code.php
Since it's activated? And maybe the only one who didn't knew that this necessary option existed...
.
https://bitcointalk.org/captcha_code.php
Since it's activated? And maybe the only one who didn't knew that this necessary option existed...
.My BPIP scraper has been using it since it was introduced. A very nice feature indeed.
Jump to: