A friend of mine wrote a screenplay for the Samsung Mobile Fresh Films contest.  He’s been telling everyone to vote for his screenplay (it’s called “Out with the Trash”, in the comedies section, go vote for it!)  And, after voting a couple times and realizing that you could vote an unlimited number of times, I was able to find a huge hole in their voting system.

Normally, you go to their website, go to the comedies section, click a link that gives you a popup, choose which screenplay to vote for, enter five numbers/letters, click vote, close the window, open it again, …  It’s a long process to just vote twice.  I wanted to vote a bunch of times for him.  So I made a script to do it for me.  Of course, I didn’t crack their CAPTCHA, but I did find an interesting flaw in it.

When their CAPTCHA is loaded, it’s loaded from a PHP script with a couple parameters passed to the script: width, height, and number of characters.  The script takes that input and generates an image and a session ID (so they can make sure you put in the right characters).  After a couple tries, I figured out that the minimum number of characters the script would generate was two.  After that, it was a simple matter of writing two scripts: One to grab the CAPTCHA image, and set a session variable to the session id they assign you, and another to have you input the two characters and send the required POST data back to their website.  Anyone good with PHP can write this in about 10-15 minutes (or less, even). Read more

Ever needed to obscure an e-mail address on your website? Most techniques use javascript (this one technically does also), but that renders them incompatible with some browsers. The following is a PHP function I wrote a little while ago to obscure an e-mail address on a webpage, but still keep it compatible with old browsers.

Read more