Fairnsquare CAPTCHA Flaw Exposes Backend to 25% Blind-Click Bot Bypass

A medium-severity security vulnerability in the Fairnsquare application's CAPTCHA implementation allows scripted bots to achieve a 25% success rate without ever parsing the challenge image. The flaw, documented in the open-source Fairnsquare repository, stems from deterministic positioning of answer boxes that betrays the correct response regardless of visual content.

The vulnerability resides in `CaptchaService.generateChallenge()`, where four answer boxes are rendered at fixed coordinates along the same horizontal axis. While the application shuffles the *values* displayed within each box via `buildShuffledAnswers`, the physical *positions* of the boxes remain static across all challenges. An attacker can therefore script a single coordinate — for example, the centre of the first box — and succeed with probability one-in-four on every attempt. No image recognition or rendering is required; the attack exploits pure statistical inevitability.

The implications extend beyond simple bot automation. CAPTCHA systems serve as a primary gate against account creation, spam submission, and credential-stuffing campaigns. A 25% bypass rate, while not guaranteeing continuous success, falls well within practical brute-force thresholds for high-volume attacks. Automated systems can simply repeat attempts until success, rendering rate limits and basic abuse thresholds ineffective. The issue raises questions about the security review process for authentication components in the codebase and whether similar deterministic patterns exist elsewhere in the application's anti-automation logic.