Researchers from the University of Maryland recently defeated Google’s reCAPTCHA 2 audio challenge system with the unCAPTCHA 2 proof of concept which bypasses the latest version of reCAPTCHA with 91% accuracy as of January, 2019.
reCAPTCHA is one the most popular system that protects website from bots and challenge that provides “I am not a robot” popups to make sure the website accessing by a real human.
The work is a follow-up to an attack published in April 2017 by the university’s Kevin Bock, Daven Patel, George Hughey and Dave Levin, again attacking the audio challenges. Since then, Google fixed and released an update of the code, they enhanced the browser automation detection and used spoken phrases instead of spoken digits.
The unCaptcha system uses a publicly available speech to text API and has now been modified to use a screen clicker that moves certain pixels on the screen to mimic human movement. The unCAPTCHA parses the response and types the answer, then it clicks submit and checks if the response to the challenge was correct. It is able to bypass Google reCAPTCHA once again.
The researchers shared their work with the ReCaptcha team that after six months authorized them to release the code.
The group said: “While unCaptcha2 is tuned for Google’s Demo site, it can be changed to work for any such site – the logic for defeating ReCaptcha will be the same”. Thus, it could also be used to bypass other security systems such as BotDetect, Yahoo, and PayPal image challenges.
“The Recaptcha team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate. This attack vector was deemed out of scope for the bug bounty program,” continue the experts.
The researchers have released the code on GitHub. The reCAPTCHA team have confirmed they are okay with us releasing this code, despite its current success rate.