top | item 6985586

Indian Railway has implemented the world's dumbest captcha

18 points| techaddict009 | 12 years ago

Indian Railway has been always criticized by the Indian travelers. Indian railway servers go down here and now.

Just found how dumb the developers of the Indian Railway are.

Visit: http://www.indianrail.gov.in/pnr_Enq.html

And just select the captcha using Mouse. You will get what I actually mean.

19 comments

[+] codegeek|12 years ago|reply

They do generate it using js and Math.random :)

    <body onload="DrawCaptcha();">

......

    <script type="text/javascript">
	//Generates the captcha function   
	function DrawCaptcha()
    	{	    
	    var a = Math.ceil(Math.random() * 9)+ '';
	    var b = Math.ceil(Math.random() * 9)+ '';      
	    var c = Math.ceil(Math.random() * 9)+ ''; 
	    var d = Math.ceil(Math.random() * 9)+ ''; 
	    var e = Math.ceil(Math.random() * 9)+ ''; 
	       
	    var code = a + b + c + d + e;
	    document.getElementById("txtCaptcha").value =   code;
    document.getElementById("txtCaptchaDiv").innerHTML = code; 
	}
	</script>

[+] namelezz|12 years ago|reply

You are kidding, right?

[+] nacs|12 years ago|reply

The best part about this CAPTCHA is that not only is the data contained within the CAPTCHA in plain-text in the source (more than once) but they actually add a background image to the text ( mirrored here: http://i.imgur.com/xlYbYZ7.jpg ) so it's harder for humans to decipher it but easy for bots..

  <span id="txtCaptchaDiv" style="background-image:url(1.jpg);
  font-weight:bold; font-family:Modern font-size=12">67839</span>

[+] girish_h|12 years ago|reply

Its easier to criticize a group without understanding the background of what they have achieved.

The Indian Railways runs one of the largest ecommerce sites in India - a site that has seen a consistent YoY growth over the last few years since its launched. Last year, they are believed to have earned a revenue of nearly 100M USD.

The guys who built their reservation system have very good engineering chops - in fact these systems hit peak load of about a million queries (every day) during 10 AM - 12 noon (IST) when users and reservation agents try to access the site irctc.co.in from browsers / mobile / reservation counters etc.

The "captcha" was not even in this page a month back. The "PNR Enquiry" for which this page is intended is a feature that can be accessed through SMS & also from the irctc website. This is possibly the least visited page in indianrail.gov.in

I have been an active user of both irctc.co.in & indianrail.gov.in over the last 7-8 years and have seen how these sites have grown.

[+] phaus|12 years ago|reply

No one is claiming anything other than the fact that the captcha is really horrible.

That being said, your defense of the site makes it sound even worse. Not only is the captcha horrible, but it took them almost all the way until 2014 to even implement one.

It is quite possible to have exceptionally good engineering chops and still be completely clueless when it comes to security.

I hope that the rest of the code powering this $100 million annual eCommerce traffic isn't as fundamentally flawed from a security aspect.

[+] krapp|12 years ago|reply

That's all very well and good, but it still seems like a useless and inept attempt at a captcha, a problem for which plenty of workable solutions already exist.

[+] user24|12 years ago|reply

I bet it stops spam though, at least for a while. I've seen captchas that literally just say "Type the word 'whistle' in the box".

They work because spammers often don't target specific sites but just run generic bots.

As soon as you throw something, even trivial, in the way, the spambots give up.

It wouldn't work for a high-value target of course.

If Indian Railway is a high-value target, then maybe they're just trying a 'dumb' solution and keeping an eye on spam to see if they need to put something cleverer in place.

[+] techaddict009|12 years ago|reply

Two possible reasons: 1) Incompetent developer. 2) It is being deliberately done so that other sites that give Railway information can still leech the information. And also, on-papers Railway can show that they have implemented proper security or whatever they think it is.

[+] kwhitefoot|12 years ago|reply

Surely a Captcha is the wrong solution to the problem (whatever the problem was). Instead of complaining about the implementation we should be wondering about the requirements.The only thing the Captcha does is raise the cost of pushing the 'Get Status' button. Simply limiting the rate at which the information was supplied to any given IP address would surely serve the same purpose. Anyway take a look at the source and you will see that it is full of junk with   everywhere as padding for alignment, obviously written by someone with a very poor grasp of web page implementation. The kind of thing I might throw together as a proof of concept to hand over to someone more adept for implementation. (I develop technical software).

It isn't just the dev who is incompetent, the problem is the system in which he is working.

[+] krapp|12 years ago|reply

Either way, it seems pretty obvious they don't actually care about security but do care about the appearance of security.

And viewing the source it looks like they have multiple head and body tags.

[+] ahmedmzl|12 years ago|reply

I would say option 1 + corruption.

The outsourcing provider is corrupt as a whole or the ministry didnt pay the outsourcing provider well.

The ministry gets a lot of money for the projects and find the cheapest and corrupt outsourcing provider they could find out in the market so that they spend and also get the money back through backdoors.

But do note that the developers of the main booking site irctc.co.in may not be the same as the developers of indianrail.gov.in

Security and Usability has not been a major concern for the government websites. If you want the worst designed bus booking website then take a look here: http://www.tnstc.in/TNSTCOnline/

[+] korvenadi|12 years ago|reply

I don't say they are incompetent. They might have some cost constraints and that is why it doesn't look appealing to you.

[+] girish_h|12 years ago|reply

More information about irctc.co.in here in this forbes-india interview. Its got every bit of a startup journey in there:

http://forbesindia.com/article/leaderhip-awards-2013/rakesh-...

[+] dapatil|12 years ago|reply

[+] mattwritescode|12 years ago|reply

i was hoping no body would find my code. Thats what happens when you outsource your site to the west.

[+] factorialboy|12 years ago|reply

Given that their website is down or extremely slow all the time, the captcha won't be my #1 complaint. (-:

[+] vasundhar|12 years ago|reply

Simple shouldn't be stupid,it should be smart. Why not recaptcha for example? Less code Better work