Saturday, October 16, 2021

Researchers: Hackers Easily Bypass Google reCAPTCHA With Google’s Speech-to-Text API

Must Read

Integrated police operations Center launched in Cyberabad

The Telangana State Police Public Safety Integrated Operations Centre claimed to be India's earliest and most incorporated police operations...

New ModPipe malware Aims hospitality, Resort point of sale systems

The backdoor was made to goal PoS devices actively employed by tens of thousands of resorts and restaurants.A brand...

Cybercriminals are Doing Microsoft Exchange Exploitation by installing Cryptojacking

Cybercriminals continue to exploit Microsoft Exchange unpatched servers. Cybersecurity investigators at Sophos report an unknown attack after trying to...

A three-year-old attack technique to bypass Google’s audio reCAPTCHA by using its own Speech-to-Text API has been found to still work.

A researcher uses an old unCAPTCHA trick against the latest audio version of reCAPTCHA, with a 97% accuracy rate.

Researcher Nikolai Tschacher disclosed his findings in a Video of proof-of-concept (POC) of the attack on January 2.

An old attack method dating back to 2017 that uses voice-to-text to bypass CAPTCHA protection turns out to still work on Google’s latest reCAPTCHA v3.

“The idea of the attack is very simple: You grab the MP3 file of the audio reCAPTCHA and you submit it to Google’s own speech-to-text API,” Tschacher said in a write-up. “Google will return the correct answer in over 97% of all cases.”

CAPTCHA, introduced in 2014, is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart.

ReCaptcha is Google’s name for its own technology and free service that uses image, audio, or text challenges to verify that a human is signing into an account.

It’s a bit of code available free of charge from Google for accounts that handle less than 1 million queries a month. Google recently started charging for larger reCAPTCHA accounts.

reCAPTCHA is a popular version of the CAPTCHA technology that was acquired by Google in 2009. The search giant released the third iteration of reCAPTCHA in October 2018. It completely eliminates the need to disrupt users with challenges in favor of a score (0 to 1) that’s returned based on a visitor’s behavior on the website — all without user interaction.

The report includes a video showing how Tschacher’s bot works. He added that this attack method works on even the latest version, reCAPTCHA v3.

Tschacher pointed out that his bot wouldn’t be easy to exploit at scale for three specific reasons: Google rate-limits audio CAPTCHA access; Google is likely tracking bot metrics; and, it creates a fingerprint of each browsing device to stop bots.

“But still, we are approaching a point in time where the Turing Test can be solved by advanced AI, thus making CAPTCHAs harder and harder to implement,” Tschacher told. “CAPTCHAs will be replaced by passive AI that collects all kinds of data to constantly determine the browsing signal appears to be human or not. The decision will be based on browsing fingerprint, JavaScript user interaction events such as mouse movements and key presses, and IP-address metadata.”  

To carry out the attack, the audio payload is programmatically identified on the page using tools like Selenium, then downloaded and fed into an online audio transcription service such as Google Speech-to-Text API, the results of which are ultimately used to defeat the audio CAPTCHA. 

The whole attack hinges on research dubbed “unCaptcha,” published by University of Maryland researchers in April 2017 targeting the audio version of reCAPTCHA who then reported they “achieved 85 percent accuracy” with the tech they Named“UnCAPTCHA.” 

Google responded with improved browser automation detection and the use of spoken phrases instead of numbers, according to the researchers’ GitHub reports. But by June 2018 researchers found the latest reCAPTCHA was easier to trick that its predecessor.

Following the attack’s disclosure, Google updated reCAPTCHA in June 2018 with improved bot detection and support for spoken phrases rather than digits, but not enough to thwart the attack  for the researchers released “unCaptcha2” as a PoC with even better accuracy (91% when compared to unCaptcha’s 85%) by using a “screen clicker to move to certain pixels on the screen and move around the page like a human.”

In March 2018, Google addressed a separate flaw in reCAPTCHA that allowed a web application using the technology to craft a request to “/recaptcha/api/siteverify” in an insecure manner and get around the protection every time.

The German researcher published the PoC code.

The automatic resolution of CAPTCHA challenges has become a very popular area of research, even free browser extensions have been developed that help users respond to these tests at the push of a button.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

Leave a reply

Please enter your comment!
Please enter your name here

Latest News

Unified endpoint management automation software to boost endpoint security

Endpoints are constantly connected to the internet, so they offer a gateway for cyberattacks. Endpoint security is simply the process...

Attackers Using Morse Code in phishing campaign to Evade Detection

Microsoft on Thursday revealed the techniques used by attackers to avoid detection using morse code in the phishing campaign.Microsoft also revealed the workings of...

Murata Manufacturing suffers data breach of employees and customer

Japanese electronic components manufacturer Murata has released an apology Notice for the data breach of thousands of files in June that contained bank account...

Everything about Signalling System 7(SS7)

Signaling System 7 (SS7) is an international telecommunication protocol standard that controls and regulates the network elements in a public switched telephone network (PSTN)....

Zimbra flaw lets attackers access the mail servers

Researchers discovered a flaw in the open-source Zimbra code. As a result, an attacker would gain unrestricted access to all sent and received emails...

More Articles Like This