Researchers at East-Ee Security demonstrated a proof-of-concept bypass of Google's reCAPTCHA V2 verification system...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
that uses different image, audio or text prompts to verify that a person, as opposed to a bot, is attempting to log in. Their exploit technique, called ReBreakCaptcha, makes use of web-based Google tools to break through Google's system. What are the flaws in Google's API that make this attack possible? What is the threat of bots being able to bypass this measure?
A CAPTCHA, or a Completely Automated Public Turing Test to Tell Computers and Humans Apart, is used to protect forms on websites from being abused by bots and other nonhuman interactions, the idea being that it poses a test that humans can pass, but that an automated computer program can't.
CAPTCHA challenge tests include image and text challenges, as well as an audio test option to ensure that users with visual impairments can respond. ReCAPTCHA is a free CAPTCHA service provided by Google that enables developers to easily incorporate CAPTCHA functionality into a website.
A post on the East-Ee Security website explained how a proof-of-concept Python script could automate the breaking of reCAPTCHA challenges by using Google's Speech Recognition API.
The blog explains how to force a site to present an audio CAPTCHA challenge and then convert the audio to the correct WAV file format, before sending it to Google's Speech Recognition API. The API response is a string version of the correct answer that can then be used to answer the CAPTCHA challenge. The script automates the various tasks, and then answers the CAPTCHA in an acceptable period of time without any user intervention. However, according to an update from East-Ee, many users who downloaded the script complained that it failed to correctly solve harder CAPTCHA challenges.
The script may work on a simple challenge, but if Google suspects a nonhuman interaction, or if the answer to a CAPTCHA comes from a public proxy or IP address that Google has flagged as suspicious, then the reCAPTCHA service presents the user with a harder version of the CAPTCHA challenge. The harder audio challenges include background noise and an overlapping voice.
In an apparent effort to patch the vulnerability, Google has also raised the minimum number of digits used in a challenge from four or five to between 10 and 12, and it immediately switches to more complex challenges when a high-volume attack is identified. Even an updated version of the attack doesn't appear to have fully overcome these harder challenges; some of the harder audio challenges are even difficult for humans to decipher due to the constant hissing noises and overlapping voices.
Attempts to beat Google's CAPTCHA have been published before -- by Stiltwalker in 2012 and AppSec Labs in 2016 -- and there are various paid-for services that offer to automate the process, like Captcha Solutions, but the success rate of these tools is not known.
Learn about the use of artificial intelligence chatbots in enterprises
Find out how to harness moving target defense methods
Read how Facebook's Delegated Recovery protocol enables account verification
Dig Deeper on Web authentication and access control
Related Q&A from Michael Cobb
Can two-factor authentication be applied to a mobile device that's used as a 2FA factor? Michael Cobb explores the different knowledge factors and ...continue reading
Running a private certificate authority can pose significant risks and challenges to meet baseline requirements. Michael Cobb explores what ...continue reading
A recently discovered Android app permissions flaw can expose users to attacks. Michael Cobb explains what the risks are and how Android O security ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.