- Google’s reCaptcha audio challenge that seeks to keep bots away from websites has been beaten twice in the past year.
- University of Maryland researchers came up with an attack that works more than 90% of the time against the security measure.
- The attack hasn’t been patched with Google being notified about the break-in method 6 months ago.
We have all run into annoying Captchas when firing up websites or trying to log into various online accounts. While Google has been working on a modern implementation of the security measure, four researchers from the University of Maryland have been able to bypass the reCaptcha system by using a custom tool.
This is the second time researchers Kevin Bock, Daven Patel, George Hughey, and Dave Levin were able to break into reCaptcha using its audio verification system. reCaptcha’s accessibility feature allows users who use screen readers to repeat phrases generated by the security feature to get access.
The first tool created by the researchers downloaded the audio file generated by the reCaptcha feature and used speech-to-text services to repeat the phrase to get access. The researchers initially achieved over 85% accuracy when breaking into the audio challenge. Google was notified about the exploit, and a fix was released.
Even after Google updated its reCaptcha audio challenge, the researchers were able to bypass the security measure with their new tool with even higher accuracy. The researchers revealed “Thanks to the changes to the audio challenge, [parsing] ReCaptcha is easier than ever before. The code now only needs to make a single request to a free, publicly available speech to text API to achieve around 90 percent accuracy overall captchas.”
With over 6 months have passed since Google was made aware of the exploit, so the group made their code public even after knowing the high success rate of the tool. The ReCaptcha break-in tool has been dubbed unCaptcha 2 with the source code available on GitHub. Kevin Bock told TechNadu, “Also, unCaptcha doesn’t let you break into any site that offers accessibility features, though site administrators should be aware that they cannot really rely on reCaptcha to protect them from bots at this time.”
What do you think about the unCaptcha 2 tool? Let us know in the comments below. If you could share the article online, it would also be great so others can find it too. Come chat with us on Facebook and Twitter.