Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Google Security The Internet Software Technology

Researcher Breaks ReCAPTCHA Using Google's Speech Recognition API (bleepingcomputer.com) 22

An anonymous reader writes: "A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Google's reCAPTCHA fields using another Google service, the Speech Recognition API," reports BleepingComputer. The attack is incredibly simple and works by downloading a version of the reCAPTCHA audio challenge, feeding it into Google's Speech Recognition API, getting the text-version of the audio challenge, and feeding it back into the reCAPTCHA field. Proof-of-concept code is available on GitHub, and the researcher says Google has failed to patch the issue, albeit it's unclear if he ever notified the company. The attack also only works against reCAPTCHA v2, not other versions like v1, or the upcoming Invisible reCAPTCHA (v3). Because the source code for the exploit is available online, security experts expect to see it ported to JavaScript and used to create browser extensions that bypass reCAPTCHA fields, especially when using the Tor Browser.
This discussion has been archived. No new comments can be posted.

Researcher Breaks ReCAPTCHA Using Google's Speech Recognition API

Comments Filter:
  • this is hilarious (Score:2, Insightful)

    by Anonymous Coward

    and quite clever. i wonder if it can do better than the 10-20% or so success rate i get on the same captchas?

    recaptcha is absolutely horrible, especially if you're on cellular, tor, a vpn, or just a common open hotspot... they make no fucking sense, they aren't words, just long random strings of similar looking jibbrish and skewed so much the letters are absolutely unrecognizable. so anything that can break that shit.. i'm all for it.

    • the funniest thing, i find, is that reCaptcha was initially designed to crowd-source difficult AI problems.
      (OCR, image recognition).

      So after a while, it seems normal that with enough such recaptcha crowdsourced feedback, google's voice recognition will get better, and thus could also be used to understand audio captchas ?

      the problem will be:
      what will happen is this get massive deployment ? google won't be able to learn new stuff, teach it AI new tricks.
      Whenever there is a new difficult piece of voicd, when

      • security experts expect to see it ported to JavaScript and used to create browser extensions that bypass reCAPTCHA fields, especially when using the Tor Browser.

        Damn those pesky Tor Browser users!

The trouble with being punctual is that nobody's there to appreciate it. -- Franklin P. Jones

Working...