Security News > 2021 > January > Old Attack Method Against Google's Audio-Based reCAPTCHA Resurrected

Old Attack Method Against Google's Audio-Based reCAPTCHA Resurrected
2021-01-04 13:36

An attack method discovered in 2017 for defeating the audio version of Google's reCAPTCHA system using speech-to-text services has once again been resurrected.

A team of researchers from the University of Maryland showed in 2017 that online speech-to-text services could be used to automatically solve reCAPTCHA v2 audio challenges with a high degree of accuracy.

After the method was disclosed, Google made some changes to its reCAPTCHA system and unCaptcha no longer worked.

As expected, the PoC did stop working, but Germany-based researcher Nikolai Tschacher has managed to tweak the PoC for unCaptcha2 to make it work against the latest version of reCAPTCHA v2.

Tschacher has published a video showing how a bot can solve the audio reCAPTCHA using Google's own speech-to-text API with an accuracy of 97%. Google introduced reCAPTCHA v3 in 2018, which improves user experience by running adaptive risk analysis in the background rather than displaying challenges, but Tschacher pointed out that "ReCAPTCHA v2 is still used in the new reCAPTCHA v3 as a fall-back mechanism."

It's worth noting that others have created free web browser extensions that help users automatically solve reCAPTCHA challenges with the press of a button using the unCaptcha method.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/atIcSffGMkc/old-attack-method-against-googles-audio-based-recaptcha-resurrected