Security News > 2021 > January > Researcher Breaks reCAPTCHA With Google’s Speech-to-Text API

Researcher Breaks reCAPTCHA With Google’s Speech-to-Text API
2021-01-04 21:45

ReCaptcha is Google's name for its own technology and free service that uses image, audio or text challenges to verify that a human is signing into an account.

Google recently started charging for larger reCAPTCHA accounts.

Tschacher pointed out that his bot wouldn't be easy to exploit at scale for three specific reasons: Google rate-limits audio CAPTCHA access; Google is likely tracking bot metrics; and, it creates a fingerprint of each browsing device to stop bots.

"Thanks to the changes to the audio challenge, passing reCAPTCHA is easier than ever before. The code now only needs to make a single request to a free, publicly available speech to text API to achieve around 90 percent accuracy over all CAPTCHAs," according to the GitHub findings from the University of Maryland team.

The report added that the reCAPTCHA bug was reported to Google in June 2018, and they okayed the release of the unCAPTCHA2 code.

"This is a clever approach in that it uses an alternate scheme made available for visually impaired people to de-fang reCAPTCHA - and using Google's own speech-to-text API adds a bit of irony to the workaround. Hard to see how to supply support for the visually impaired without making reCAPTCHA a lot more easy to game."


News URL

https://threatpost.com/researcher-breaks-recaptcha-speech-to-text-api/162734/