I've been seeing quite a lot of terrible CAPTCHA implementations out there lately, so here's a thread where everyone can post their findings and maybe make suggestions on how to solve the security issues we see...

Anyway, here's my contribution (found this a few days ago, and saved it because it was so funny):

In a login page's source, the (quite lazy) web developer included:

    <script language="JavaScript">
    <!--
      if (top.frames.length!=0)
       top.location=self.document.location;
       // Disable browser's Back button on another page
       // being able to go back to this page and seeing the same turing image.
       window.setTimeout('history.forward()', 1500);
    // -->
    function initpage() {
        document.turingimage.src = '/cgi-bin/sblogin/turingimage.cgi?' + Math.random();
        prefillForm();
    }
    // -->
    </script>

...and later on...

<!-- <body> -->
<!--
Use the this 1X1 pixel version of the Turing image if you remove 
the visible one from the page.  Calling the Turing image is necesary
even if it's not visible.
<img src="/cgi-bin/sblogin/turingimage.cgi" height="1" width="1" name="turingimage" id="turingimage"><br>
-->

So the page basically gives you instructions on how to bypass the CAPTCHA, LOL!

Gotta love when developers believe they're the only ones seeing the source :D

Ugh... that's terrible.

- RSnake
Gotta love it. http://ha.ckers.org

Doesn't that work only when the image is actually turned off? In which case it's not important since there's no image at all?

it should work that way, but you can make the script believe the captcha is turned off when it actually is turned on... so you bypass the captcha without even having to solve it :P