Free Dr. Pepper Overloads Site, Exposes Captcha Key

I love Dr. Pepper. So when then announced they where giving it away for free I was all over it.

Sadly though the site was not up to the task and was continually failing in new and wonderful ways. Everything from Service Unavailable to this piece of code poo:

Start ‘, gmdate(”F j, Y, g:i:s a T”, $start_time), ‘
Now ‘, gmdate(”F j, Y, g:i:s a T”, time()), ‘
End ‘, gmdate(”F j, Y, g:i:s a T”, $end_time), ‘
Time From Start ‘, $g_nTimeToStart, ‘ (H:’,$g_nHoursFromStart,’ M:’,$g_nMinutesFromStart,’ S:’,$g_nSecondsFromStart,’)’, ‘
Time Until End ‘, $g_nTimeToEnd, ‘ (H:’,$g_nHoursToEnd,’ M:’,$g_nMinutesToEnd,’ S:’,$g_nSecondsToEnd,’)’, $g_bSwitch? ‘
SWITCH
‘:’
NO SWITCH
‘; exit(); } require_once(’recaptchalib.php’); include “account/process_user.php”; // Get a key from http://recaptcha.net/api/getkey $publickey = “6Lcp6AMAAAAAACdUl5_X5cbuQLzgWMMRHlb3MbwV”; $privatekey = “6Lcp6AMAAAAAAGR1pjoXN2dLHg9sVIKmBR-XXXX”; ?>

Hey cool a private key (I changed it above)! It looks like to goes to ReCaptcha so I hop on over to the ReCaptcha site to find out how bad this is. I found this;

Signing up for a reCAPTCHA Key

In order to use reCAPTCHA, you need a public/private API key pair. This key pair helps to prevent an attack where somebody hosts a reCAPTCHA on their website, collects answers from their visitors and submits the answers to your site. You can sign up for a key on the reCAPTCHA Administration Portal.

So if you where paying attention you can now crack Dr. Peppers ReCaptcha all day long. This is not the end of the world but I am sure some spammer somewhere is already on in and doing something not good.

This is a great example of the type of things missed when you are only looking one piece of the app. sec. problem.  This could have been prevented with an egress filter of some sort or better load a failure testing in QA. It looks like the folks at Dr Pepper are doing neither.

And I never did get my free Dr. Pepper!!