Researcher Breaks ReCAPTCHA Using Google's Speech Recognition API (bleepingcomputer.com) 22
An anonymous reader writes: "A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Google's reCAPTCHA fields using another Google service, the Speech Recognition API," reports BleepingComputer. The attack is incredibly simple and works by downloading a version of the reCAPTCHA audio challenge, feeding it into Google's Speech Recognition API, getting the text-version of the audio challenge, and feeding it back into the reCAPTCHA field. Proof-of-concept code is available on GitHub, and the researcher says Google has failed to patch the issue, albeit it's unclear if he ever notified the company. The attack also only works against reCAPTCHA v2, not other versions like v1, or the upcoming Invisible reCAPTCHA (v3). Because the source code for the exploit is available online, security experts expect to see it ported to JavaScript and used to create browser extensions that bypass reCAPTCHA fields, especially when using the Tor Browser.
this is hilarious (Score:2, Insightful)
and quite clever. i wonder if it can do better than the 10-20% or so success rate i get on the same captchas?
recaptcha is absolutely horrible, especially if you're on cellular, tor, a vpn, or just a common open hotspot... they make no fucking sense, they aren't words, just long random strings of similar looking jibbrish and skewed so much the letters are absolutely unrecognizable. so anything that can break that shit.. i'm all for it.
Even more hilarious (Score:2)
the funniest thing, i find, is that reCaptcha was initially designed to crowd-source difficult AI problems.
(OCR, image recognition).
So after a while, it seems normal that with enough such recaptcha crowdsourced feedback, google's voice recognition will get better, and thus could also be used to understand audio captchas ?
the problem will be:
what will happen is this get massive deployment ? google won't be able to learn new stuff, teach it AI new tricks.
Whenever there is a new difficult piece of voicd, when
Re: (Score:2)
security experts expect to see it ported to JavaScript and used to create browser extensions that bypass reCAPTCHA fields, especially when using the Tor Browser.
Damn those pesky Tor Browser users!
Re: (Score:2)
They already have something similar with trying to find all the boxes with the street sign. Those never work right. What if the sign takes up a few pixels in a box, does that count?
Re: (Score:1)
Re: (Score:2)
What if the sign takes up a few pixels in a box, does that count?
That is one of my problems with such recaptchas. The other problem, does a stop sign, yield sign, railroad crossing sign, etc, count as a street sign, or do they only mean signs with street names on them? I assume the former, and answer accordingly, but it always gives me a new set of images, with no indication on whether I passed or failed the previous test, so I have no fucking clue.
Re: (Score:2)
Because you have 1 out of 3 chance of getting it right by chance, which is more than good enough for spammers.
Also it is not that hard to recognize an animal cry or everyday sounds automatically, and there is a limited number of options because you need to only make choices that are common knowledge.
crowd sourcing AI training (Score:2)
the whole point of recaptcha is crowd sourcing ai training.
some of the audio captcha aren't purposely distorted synthetic bits, but actual snips of real-world data with which google voice is.having problems. (just like visual captcha can also help training the OCR or imagr recognition ).
the suggestion you're making would be training data for a different AI task
(tagging/recognition of sounds, and common knowledge/logic databases).
Re: (Score:1)
What does the fox say?