Google Speech-to-Text API Can Be Used to Bypass Google reCAPTCHA: A security researcher has recently demonstrated that Google’s audio reCAPTCHA can be bypassed effectively by using Google’s own Speech-to-Text API. Proof of concept (PoC) of the attack reveals that it work with 97% accuracy.
What is CAPTCHA?
Invented in 1997, CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It is a widely used technology to determine whether the user behind a computer is real or a spam robot. This is achieved by a series of challenge and response tests where users are expected to answer correctly.
As a challenge and response mechanism, a randomly generated sequence of letter and/or numbers that appear as distorted images are displayed to the users. To pass the test, users are expected to type the characters they see in distorted image correctly in the text box. For another test type, users are expected to choose correct images out of a variety of other images in response to a test question. Yet for a third type, audio challenges can be used optionally for visually impaired users.
The CAPTCHA technology used by Google is called reCAPTCHA, that is a popular version version of the CAPTCHA technology that was acquired by Google in 2009.
How does It Work?
Basically, the attack works by creating an MP3 file of the audio reCAPTCHA and submitting it to the Google Speech-to-Text API. To automate this process, the audio payload is programmatically identified on the page and downloaded to be fed into the Google Speech-to-Text API.
Actually, this recently demonstrated attack is not a new discovery. Initially, researchers from the University of Maryland demonstrated the attack in 2017 with a research paper “unCaptcha: A Low-resource Defeat of reCaptcha’s Audio Challenge“. The details of the attacks has been shared by the researchers on the unCaptcha attack official webpage. Shared by the researchers, the PoC of this original research can also be found on the GitHub.
Following the disclosure of unCaptcha in 2017, Google updated reCaptcha with improved bot detection to thwart the attack. However, researchers also enhanced the original unCaptcha attack (unCaptcha2) in response to Google’s update, to demonstrate that the attack still works, and this time with even better accuracy of 91% as compared to the 85% of the original unCaptcha. In response to unCaptcha2 attack, Google released the updated version reCAPTCHA v3.
This latest demonstration by the researcher reveals that unCaptcha2 attack can still be used effectively on reCAPTCHA v3. The details of this latest PoC can be found on the YouTube video shared by the researcher.
- Research Paper (unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge)
- Official Web Page of unCaptcha Attack
- GitHub Page for the Original PoC of unCaptcha
- GitHub Page for the unCaptcha2