Yahoo! has long implemented means that prevent automated account-creation attempts: the pages display a word or number in an image and requiring the user to type it. Apparently, frustrating robots is pretty important, and it seems to be successful.

They have a similar approach when uploading an image in a Yahoo! member profile. A six-digit number is displayed in a JPEG image, but the overall implementation wasn't done quite right. Checking the properties of the image show that it wasn't done quite right:

(click the image to see a larger version)

By including the confirmation number as part of the image name, it means that automated programs would trivially be able to automate this. Oops.

In fairness to Yahoo!, this was apparently some kind of debugging mode, and they had it fixed within five hours of reporting. It's fun to imagine a collective "Doh!" from the security people.

Posted by Steve at March 04, 2003 06:46 PM | TrackBack