Skip to content

TWOCrowds.com flickr CAPTCHA test

Noticed on the web somewhere TWOCrowds.com is using the flickr api to create a CAPTCHA test. Looks like they are using the flickr api to pull up a photo tagged with a convention that says “this is a photo of a single letter: r”.

Wouldn’t this be pretty easy to defeat? The JPG’s are being served from flickr – and a named like this: “114556884_45d6dd4ec4_s.jpg”. The first part of the filename is the photo id which you can pass to the flick API method flickr.photos.getInfo. Which returns all the tags (among other things) for the image – the “Rr” tag being the convention that says this is a photo of the letter R:


    <tags>
        <tag id="256536-114556884-484" author="95229107@N00" raw="Paris">paris</tag>
        <tag id="256536-114556884-6562" author="95229107@N00" raw="claudecf">claudecf</tag>
        <tag id="256536-114556884-17897" author="95229107@N00" raw="letter">letter</tag>
        <tag id="256536-114556884-67834" author="95229107@N00" raw="oneletter">oneletter</tag>
        <tag id="256536-114556884-6496" author="95229107@N00" raw="letters">letters</tag>
        <tag id="256536-114556884-8513" author="95229107@N00" raw="Rr">rr</tag>
    </tags>

They could prevent this by not revealing the image names in the HTML – by having their webserver read in the JPG and delivering it with a different filename.

Post a Comment

Your email is never published nor shared. Required fields are marked *