Friday, July 23, 2021

Researchers: Hackers Easily Bypass Google reCAPTCHA With Google’s Speech-to-Text API

Must Read

Gmail Now supports email logo authentication BIMI

Google LLC today announced a small but potentially important email security update. Gmail is officially rolling out support for...

Chinese Cloud Hopper Attackers Use Zerologon at New Campaign

Chinese state-sponsored attackers are working a significant worldwide campaign against several verticals harnessing the Zerologon vulnerability, based on a...

Misconfigured AWS Bucket Exposes Social Influencers

A misconfigured cloud storage bucket has subjected that the private details of countless social networking influencers, possibly placing them...

A three-year-old attack technique to bypass Google’s audio reCAPTCHA by using its own Speech-to-Text API has been found to still work.

A researcher uses an old unCAPTCHA trick against the latest audio version of reCAPTCHA, with a 97% accuracy rate.

Researcher Nikolai Tschacher disclosed his findings in a Video of proof-of-concept (POC) of the attack on January 2.

An old attack method dating back to 2017 that uses voice-to-text to bypass CAPTCHA protection turns out to still work on Google’s latest reCAPTCHA v3.

“The idea of the attack is very simple: You grab the MP3 file of the audio reCAPTCHA and you submit it to Google’s own speech-to-text API,” Tschacher said in a write-up. “Google will return the correct answer in over 97% of all cases.”

CAPTCHA, introduced in 2014, is an acronym for Completely Automated Public Turing Test to Tell Computers and Humans Apart.

ReCaptcha is Google’s name for its own technology and free service that uses image, audio, or text challenges to verify that a human is signing into an account.

It’s a bit of code available free of charge from Google for accounts that handle less than 1 million queries a month. Google recently started charging for larger reCAPTCHA accounts.

reCAPTCHA is a popular version of the CAPTCHA technology that was acquired by Google in 2009. The search giant released the third iteration of reCAPTCHA in October 2018. It completely eliminates the need to disrupt users with challenges in favor of a score (0 to 1) that’s returned based on a visitor’s behavior on the website — all without user interaction.

The report includes a video showing how Tschacher’s bot works. He added that this attack method works on even the latest version, reCAPTCHA v3.

Tschacher pointed out that his bot wouldn’t be easy to exploit at scale for three specific reasons: Google rate-limits audio CAPTCHA access; Google is likely tracking bot metrics; and, it creates a fingerprint of each browsing device to stop bots.

“But still, we are approaching a point in time where the Turing Test can be solved by advanced AI, thus making CAPTCHAs harder and harder to implement,” Tschacher told. “CAPTCHAs will be replaced by passive AI that collects all kinds of data to constantly determine the browsing signal appears to be human or not. The decision will be based on browsing fingerprint, JavaScript user interaction events such as mouse movements and key presses, and IP-address metadata.”  

To carry out the attack, the audio payload is programmatically identified on the page using tools like Selenium, then downloaded and fed into an online audio transcription service such as Google Speech-to-Text API, the results of which are ultimately used to defeat the audio CAPTCHA. 

The whole attack hinges on research dubbed “unCaptcha,” published by University of Maryland researchers in April 2017 targeting the audio version of reCAPTCHA who then reported they “achieved 85 percent accuracy” with the tech they Named“UnCAPTCHA.” 

Google responded with improved browser automation detection and the use of spoken phrases instead of numbers, according to the researchers’ GitHub reports. But by June 2018 researchers found the latest reCAPTCHA was easier to trick that its predecessor.

Following the attack’s disclosure, Google updated reCAPTCHA in June 2018 with improved bot detection and support for spoken phrases rather than digits, but not enough to thwart the attack  for the researchers released “unCaptcha2” as a PoC with even better accuracy (91% when compared to unCaptcha’s 85%) by using a “screen clicker to move to certain pixels on the screen and move around the page like a human.”

In March 2018, Google addressed a separate flaw in reCAPTCHA that allowed a web application using the technology to craft a request to “/recaptcha/api/siteverify” in an insecure manner and get around the protection every time.

The German researcher published the PoC code.

The automatic resolution of CAPTCHA challenges has become a very popular area of research, even free browser extensions have been developed that help users respond to these tests at the push of a button.

Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.


Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This