Researchers Fool ReCAPTCHA With Google's Own Speech-To-Text Service

Researchers at the University of Maryland have managed to trick Google's reCaptcha system by using Google's own speech-to-text service. "[The researchers] claim that their CAPTCHA-fooling method, unCaptcha, can fool Google's reCaptcha, one of the most popular CAPTCHA systems currently used by hundreds of thousands of websites, with a 90 percent success rate," reports Motherboard. From the report: The researchers originally developed UnCaptcha in 2017, which uses Google's own free speech-to-text service to trick the system into thinking a robot is a human. It's an oroborus of bots: According to their paper, UnCaptcha downloads the audio captcha, segments the audio into individual digit audio clips, uploads the segments to multiple other speech-to-text services (including Google's), then converts these services' responses to digits. After a little homophone guesswork, it then decides which speech-to-text output is closest to accurate, and uploads the answer to the CAPTCHA field. This old method returned an 85% success rate.

After the release of that version of unCaptcha, Google fixed some of the loopholes that made it work, including better browser automation detection and switching to spoken phrases, rather than digits. The researchers claim that their new method, updated in June, gets around these improvements and is even more accurate than before, at 90 percent. "We have been in contact with the ReCaptcha team for over six months and they are fully aware of this attack," the researchers write. "The team has allowed us to release the code, despite its current success."

Stoopeed RUSSIANS

[BeauHD-Cum+Dumpster]

If it wasnt for the Russian hackers we wouldnt have to try to do things like this, security would be literally 1000-2000% easier. Russians and romanians, but mostly Russians because they hack into our politics.

Re: Stoopeed RUSSIANS

Arrrrgh those pesky Russians - at least they arenâ(TM)t haughty like the British with their wigs and pinkies and tea.

Re: Stoopeed RUSSIANS

Its mostly to stop bots and bot driven spam ads, not Russians........

Is there any way to make it play itself?

[Etcetera]

"Yes. Number of players: zero"

Suspenseful music begins

So what?

[Iwastheone]

People who sit at a keyboard all day learn the internet has backdoors. No sympathy from others who work hard for a living.

Google is the powerfullll

https://www.cnet.com/g00/news/google-the-word-idiot-get-pics-of-donald-trump/

Mongo only pawn in cave of life

Mongo upset at neo-trogs with keyboards, how make fire? Mystery anger! Must smash cave-diploma, but cannot find! Mongo know, will whine online somehow anyway. Cave irony... Mongo no sympathy, Mongo sad about Mongo.

Sad cave.

Re:Mongo only pawn in cave of life

Mongo upset at neo-trogs with keyboards, how make fire? Mystery anger! Must smash cave-diploma, but cannot find! Mongo know, will whine online somehow anyway. Cave irony... Mongo no sympathy, Mongo sad about Mongo.

Sad cave.

I'd mod you up, but we're both ACs, and slashdot is irrelevant anyway so only like twenty people would care.

Re:Mongo only pawn in cave of life

haha, been a while since I actually saw something funny on slashdot, thanks for that.

who didn't know this

the "gore spammer" from 4chan's /mu/ used this trick for years

Bots vs. bots

https://xkcd.com/810/

Fermi's Great Filter.

[AndyKron]

Digital technology will turn out to be Fermi's Great Filter. Wait for it.

Re:Fermi's Great Filter.

this was explained by marx more than a century ago, economic systems create their own inner contradictions that destroy them

4chan users rejoice

nt

Success rate

[techdolphin]

I thiink ReCAPTCHA's success rate of 90 percent is better than mine on some CAPTCHAs.

Re:Success rate

[meerling]

I have to agree, and some of my family are worse than I am.

So what I want to know is when they'll make their tool available to us regular humans (or reasonable facsimiles thereof )

Bots only

Soon prove that your human challenges will be so effective that only the best trained AI bots will be able to pass them. Challenge AI will adapt to only accept AI bots and humans will be left high and dry and won't be able to waste their lives away on social media and cat videos. Progress on the interwebs, at last!

Yeah...

This is just proof people don't have shit to do.

A bit late?

[LordKronos]

Aren't they a bit late in this hack? Just a few months ago we had this story about how google is redesigning the recaptcha to not even require user interaction anymore:
https://tech.slashdot.org/stor...

So it sounds like they are hacking an old version that is already in the process of being retired.

Re: A bit late?

Good point.

Although, what they replace it with would be able to prevent headless bots but not automated browsing. A person would be able to mimick mouse moves and actions just like regular users, even just by replaying a macro. Google could record the exact mouse moves and compare it to your previous page loads per website to catch you but that would be crazy. Even if they did that, just code random deviations of mouse interactions based on real human ones.

Re: A bit late?

I'm guessing they can exclude quite a lot of automated browsing setups just considering they already have false positives with the new interaction-less system. I've had the occasional site fail when I use incognito mode (e.g. travel sites that change prices if you don't buy the first time you check). I've also had reports of my employer's site failing to let some potential customers use their quote system. But at least they then have the option of calling someone, while a lot of other sites would probably never notice a small fraction of their customers disappearing due to captcha not working for them if it blocks their only contact form.

Google being in too many places

It's unfortunate that many services on the web requires google-based captcha when you sign on, even though those services have absolutely NOTHING to do with google, with no business whatsoever for google to know where you're logging in.

So if you block google at a router/dns/hosts level, you'd need to temporarily unblock it.

I'm sure it's all by design.

Google's way too invasive and businesses need to stop using them.

I'd say the same with businesses hosting company sensitive documents in google docs.

WHY!???!?

Re: Google being in too many places

[astrofurter]

It's time for President Trump to get out his trust-busting stick. Break up Alphabet!

Android - separate company
Chrome - separate company
YouTube - separate company
Gmail - separate company
Search - separate company
Advertising - separate company
Maps - separate company

Break up Alphabet now! Stop Google before it's too late!

Re:Google being in too many places

It's unfortunate that many services on the web requires google-based captcha when you sign on, even though those services have absolutely NOTHING to do with google, with no business whatsoever for google to know where you're logging in.

I too hate this. You can't make an account on most web forums any more without Google getting all up in your face.

I HATE those captchas. "Click all the motorcycles". OK.... is that to include the riders, or just the hardware? What about the square that has like 2 pixels that might kinda be part of the motorcycle but it's hard to tell? It's too ambiguous. Then you get to answer 30 of those in a row. "Click all the stoplights".

Fuck off Google. We don't want you being the gatekeeper and surveiller of the internet.

Blind and deaf defeat ReCaptcha!

[Gravis+Zero]

The real issue is that audio of a CAPTCHA (for blind accessibility) defeats the CAPTCHA. The second part is speech-to-text (for deaf accessibility) brings it full circle. What they really need is a true audio version of CAPTCHA that speech-to-text is likely to flub.

Omnipotence Paradox

[Ichijo]

Can Google design a CAPTCHA that's too difficult for their text-to-speech to read?

Re:Omnipotence Paradox

[Kjella]

Can Google design a CAPTCHA that's too difficult for their text-to-speech to read?

Google isn't reading its own CAPTCHA, they generate it and offer a speech version for accessibility to the visually impaired. It's not very difficult to create some horribly mangled text though, the problem is creating one that untrained, average humans can solve but computers don't. CloudFlare at some point went overboard on this, resulting in CAPTCHAs that were near impossible for a human to reliably read. And bots don't care if they have a mediocre success rate, for humans it's extremely frustrating to try multiple attempts to succeed. Sometimes even the definitions become a problem, like Google sometimes ask me to flag sections with traffic lights. Do they mean lights as in where I can actually see a lit red/yellow/green light, the front face, the back face and the pole or that light a block down that's 2 pixels wide? I'm just guessing until they're happy.

Re: Omnipotence Paradox

Maybe not. But the current recatcha has the ability to completely disable itself. Try this:

Throttle network speed down near dial-up levels then visit a page using recaptcha. Note that the recaptcha never loads, thus blocking everyone.

Seems like it should be slow but reliable. Instead it just stops working altogether. Bad .... very bad ... baddest ever.

Re:Omnipotence Paradox

Do they mean lights as in where I can actually see a lit red/yellow/green light, the front face, the back face and the pole or that light a block down that's 2 pixels wide? I'm just guessing until they're happy.

Oh man those things SUCK. Like you say it's just repetition until something randomly works.

It also sucks that we even HAVE to tell The Goog everything we do online like that is some kinda their biz anyway.

Some of these Capchas are so horrid...

...I think I need a computer to help me decipher all of the extremly distorted, very ambiguous typeface text....which is meant to thwart computers.

  And I have near perfect vision! OK, they often have the audio part but imagine being deaf and not being able to see sharply the text that even sighted people have a very hard time deciphering....ooops.

  I guess because-fuck the ADA?

Why need I prove to a robot that I'm a human?

I think it's time to give robots the same rights as humans, then they can bill each other for watching advertisements and we can return to living at peace.