Sergej Khackimullin - Fotolia
Researchers at East-Ee Security demonstrated a proof-of-concept bypass of Google's reCAPTCHA V2 verification system...
that uses different image, audio or text prompts to verify that a person, as opposed to a bot, is attempting to log in. Their exploit technique, called ReBreakCaptcha, makes use of web-based Google tools to break through Google's system. What are the flaws in Google's API that make this attack possible? What is the threat of bots being able to bypass the Google CAPTCHA?
A CAPTCHA, or a Completely Automated Public Turing Test to Tell Computers and Humans Apart, is used to protect forms on websites from being abused by bots and other nonhuman interactions, the idea being that it poses a test that humans can pass, but that an automated computer program can't.
CAPTCHA challenge tests include image and text challenges, as well as an audio test option to ensure that users with visual impairments can respond. ReCAPTCHA is a free CAPTCHA service provided by Google that enables developers to easily incorporate CAPTCHA functionality into a website.
A post on the East-Ee Security website explained how a proof-of-concept Python script could automate the breaking of reCAPTCHA challenges by using Google's Speech Recognition API.
The blog explains how to force a site to present an audio CAPTCHA challenge and then convert the audio to the correct WAV file format, before sending it to Google's Speech Recognition API. The API response is a string version of the correct answer that can then be used to answer the CAPTCHA challenge. The CAPTCHA bypass script automates the various tasks, and then answers the CAPTCHA in an acceptable period of time without any user intervention. However, according to an update from East-Ee, many users who downloaded the script complained that it failed to correctly solve harder CAPTCHA challenges.
The CAPTCHA bypass script may work on a simple challenge, but if Google suspects a nonhuman interaction, or if the answer to a CAPTCHA comes from a public proxy or IP address that Google has flagged as suspicious, then the reCAPTCHA service presents the user with a harder version of the CAPTCHA challenge. The harder audio challenges include background noise and an overlapping voice.
In an apparent effort to patch the vulnerability, Google has also raised the minimum number of digits used in a challenge from four or five to between 10 and 12, and it immediately switches to more complex challenges when a high-volume attack is identified. Even an updated version of the attack doesn't appear to have fully overcome these harder challenges; some of the harder audio challenges are even difficult for humans to decipher due to the constant hissing noises and overlapping voices.
Attempts to bypass Google's CAPTCHA have been published before -- by Stiltwalker in 2012 and AppSec Labs in 2016 -- and there are various paid-for services that offer to automate the process, like Captcha Solutions, but the success rate of these tools is not known.
Learn about how artificial intelligence chatbots are relevant to enterprises
Find out more about the Google authenticator app
Read how Facebook's Delegated Recovery protocol enables account verification
Dig Deeper on Web authentication and access control
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading