Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Breaks ReCAPTCHA Using Google's Speech Recognition API (bleepingcomputer.com)

Posted by BeauHD on from the taste-of-your-own-medicine dept.

An anonymous reader writes: "A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Google's reCAPTCHA fields using another Google service, the Speech Recognition API," reports BleepingComputer. The attack is incredibly simple and works by downloading a version of the reCAPTCHA audio challenge, feeding it into Google's Speech Recognition API, getting the text-version of the audio challenge, and feeding it back into the reCAPTCHA field. Proof-of-concept code is available on GitHub, and the researcher says Google has failed to patch the issue, albeit it's unclear if he ever notified the company. The attack also only works against reCAPTCHA v2, not other versions like v1, or the upcoming Invisible reCAPTCHA (v3). Because the source code for the exploit is available online, security experts expect to see it ported to JavaScript and used to create browser extensions that bypass reCAPTCHA fields, especially when using the Tor Browser.

9 of 22 comments (clear)

  1. this is hilarious by Anonymous Coward · · Score: 2, Insightful

    and quite clever. i wonder if it can do better than the 10-20% or so success rate i get on the same captchas?

    recaptcha is absolutely horrible, especially if you're on cellular, tor, a vpn, or just a common open hotspot... they make no fucking sense, they aren't words, just long random strings of similar looking jibbrish and skewed so much the letters are absolutely unrecognizable. so anything that can break that shit.. i'm all for it.

  2. Re:reading back numbers is dumb by ArchieBunker · · Score: 1

    They already have something similar with trying to find all the boxes with the street sign. Those never work right. What if the sign takes up a few pixels in a box, does that count?

    --
    Only the State obtains its revenue by coercion. - Murray Rothbard
  3. Re:reading back numbers is dumb by GuB-42 · · Score: 1

    Because you have 1 out of 3 chance of getting it right by chance, which is more than good enough for spammers.
    Also it is not that hard to recognize an animal cry or everyday sounds automatically, and there is a limited number of options because you need to only make choices that are common knowledge.

  4. Even more hilarious by DrYak · · Score: 1

    the funniest thing, i find, is that reCaptcha was initially designed to crowd-source difficult AI problems.
    (OCR, image recognition).

    So after a while, it seems normal that with enough such recaptcha crowdsourced feedback, google's voice recognition will get better, and thus could also be used to understand audio captchas ?

    the problem will be:
    what will happen is this get massive deployment ? google won't be able to learn new stuff, teach it AI new tricks.
    Whenever there is a new difficult piece of voicd, when submitted to recaptcha for crowdsourcing, the swarm of google-voice powered bots will answer with the default (broken?) answer.
    and given the massive number of answers, recaptcha will reach the wrong conclusion that the default is good.
    the actual few humans will be first useless for AI training in the middle of the bot noise, and then will get problems once recaptcha decide that the bad automatic interpretation is the correct one.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Even more hilarious by monkeyzoo · · Score: 1

      security experts expect to see it ported to JavaScript and used to create browser extensions that bypass reCAPTCHA fields, especially when using the Tor Browser.

      Damn those pesky Tor Browser users!

  5. crowd sourcing AI training by DrYak · · Score: 1

    the whole point of recaptcha is crowd sourcing ai training.

    some of the audio captcha aren't purposely distorted synthetic bits, but actual snips of real-world data with which google voice is.having problems. (just like visual captcha can also help training the OCR or imagr recognition ).

    the suggestion you're making would be training data for a different AI task
    (tagging/recognition of sounds, and common knowledge/logic databases).

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  6. Re:reading back numbers is dumb by Dwedit · · Score: 1

    What does the fox say?

  7. Re:reading back numbers is dumb by Visarga · · Score: 1

    In practice the street signs/store fronts challenge almost never work. I select as best I can and it doesn't approve me. Maybe I'm a bot??

  8. Re:reading back numbers is dumb by Golddess · · Score: 1

    What if the sign takes up a few pixels in a box, does that count?

    That is one of my problems with such recaptchas. The other problem, does a stop sign, yield sign, railroad crossing sign, etc, count as a street sign, or do they only mean signs with street names on them? I assume the former, and answer accordingly, but it always gives me a new set of images, with no indication on whether I passed or failed the previous test, so I have no fucking clue.

    --
    "I'm not sure I like the fugnutish tone you used in your post!" -RogL (608926)-