Here is a demo (http://xenweb.net/forums/register.php)

Let me explain how this works.

On the registration page a potiental user has to enter a random character of a word.
I have done something different though. It randomly selects a username from the database to be used as the word.

Some of you may be asking "Can you explain how it does the checking"?
On the registration page I have a hidden form that contains a hashed version of the correct character. After the form is submitted it checks if the the hashed version of the character you typed against the correct hash.

If you installed this hack you can enable it by going to
vBulletin Options --> User Registration Options
The option to enable/disable the feature and to add your own hash are at the bottom.


If you are upgrading this hack you'll need to edit the "register" template.

Go to your ACP >> Styles & Templates >> Style Manager
Expand the template you want to edit.
Expand the Registration Templates category

Open: register
Find:
What is the first character of <b>$ahbot[username]</b>?

Replace with:
What is the $char_loc character of the word <b>$ahbot[username]</b>?

If you find any way that bots can get pass this please tell me.

Nice....I may use this at a later date.......

Nice I like it simple and surely should be affective.
Feature request
Can you make it so the amount of required text can be adjusted? So say instead of just the first letter could be the first 2 or 3 or etc etc? Only problem I see with that is the length of the username that gets picked to display say the username that is showing at registration is only 3 characters long but its set to require the first 4? Something that can be worked around?

I like how this does not require the making of a custom profile field I hate making those.

Creative, Nice, Excellent. Not much more to say :)
* Shazz won't use it but had to take a peek :)

Sweet idea i`ll be installing this after work 2morro:)

Clicks install:D

nice mod - Thanx for the sharing!

Jacquii.

Nice I like it simple and surely should be affective.
Feature request
Can you make it so the amount of required text can be adjusted? So say instead of just the first letter could be the first 2 or 3 or etc etc? Only problem I see with that is the length of the username that gets picked to display say the username that is showing at registration is only 3 characters long but its set to require the first 4? Something that can be worked around?

I like how this does not require the making of a custom profile field I hate making those.
I thought of that too but I think that randomly selecting the character would be better.

Thanks everyone.

Looks good. Thanks! ;)

* projectego clicks install

Sorry, but this is incredibly easy to bypass - in fact I can think of two ways that this can be done...

MD5 Hash Table.
I could easily create a small array of hashes for each 'possible' answer. As the chances are that most of the time the character will be alphanumeric, i will only need A-Z,a-z and 0-9. All i have to do is hash each of these letters in turn and store them in a small array (62 cells)

For example

$answer[0cc175b9c0f1b6a831c399e269772661] = 'a'
$answer[92eb5ffee6ae2fec3ad71c777531578f] = 'b'

Now all i have to do is look up the value stored in the array with the key that matches your 'hidden field' value and put that letter in the field.

Look at the webpage
Alternatively, I could just look at the webpage. Unless I'm missing something, you give me the username in plain text. All i have to do is look for the value given after 'What is the first character of '?

This is the very reason that vBulletin uses CAPTCHA - it's an image so cannot just be 'read' in this way.

You may however get some 'security through obscurity' - bots need to know about your hack before they know what to do. But that would only take time and popularity.

Sorry to rip it apart so badly, but you did ask if there was any way bots could get past it.

Keep at it :)

Ollie

Just thinking, you may be able to secure it a little more by appending the vbulletin license number (or a random string stored in vb options) to the character before you hash it (both times). This is known as 'salting', and would make the 'MD5 hash table' bypass much, much harder. You might want to Google that and read up on it :)

Don't know what you can do about the other thing though - you could turn it into an image but then what advantage does it give over vb's default captcha?

Can bots read the source code?

Pyrix is right, salting the hash would work wonders... may I suggest letting the admins choose their own salt in the admin CP. That way each board has it's own salt.

The second issue about the bot automatically "looking at the webpage" for a value, can also be solved using the admin CP. Just let users customize the question in thier own words, and customize the title (where it says "Harmor's Bot Protection" and "What is the first character of" in the screen shot).

Also, I was thinking... how hard would it be to allow the admin to choose EITHER the 1st, 2nd, 3rd character the users should enter (set via admin cp). This would make is at least not exactly the same on all boards, and since vB has min usernames set at more than 3, it should always work.

Just my $0.02 cents.

Hopefully I increased the security of this hack. It now selects a random character instead of asking the user to enter the first character.

Here is a snippet of code I added.
if(empty($vbulletin->options['harmor_bot_protection_hash']))
{
$vbulletin->options['harmor_bot_protection_hash'] = "gwetg7gaswegty7sawfrtq2w6t";
}

$word = $ahbot['username']{$ah_rand - 1};
$hash = md5(md5($word).$vbulletin->options['harmor_bot_protection_hash']);

The screenshot has been updated as well. 63065

Can bots read the source code?


of course they can...

they filter through the source to find hash's so they can do things (and the hashs were made to stop them).

of course they can...

they filter through the source to find hash's so they can do things (and the hashs were made to stop them).
Thanks for answering my question.

what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??

what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??
I didn't take that into account. I'll update the hack soon. Thank you for pointing that out.

what happens for example if people have a space in their name so the user name is "no gas" and you ask for the third letter? is it g or space, etc??
I have updated the hack to remove spaces in usernames. "no gas" becomes "nogas".

Isn't this the point of image verification?

Isn't this the point of image verification?
Yes, but sometimes the image verification can be hard to read.