Researcher breaks Google CAPTCHA using speech-to-text AI


    A former attack method that began in 2017, that utilizes voice-to-text to evade CAPTCHA protection turns out to be still working on Google’s latest reCAPTCHA v3, according to researcher Nikolai Tschacher. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It utilizes puzzles that solely humans can decipher to avoid automated bots from ratifying into accounts or registering for fresh ones. reCAPTCHA is Google’s term for its technology and free service that utilizes image, text, or audio challenges to ascertain that only a human can sign in to an account.

    Researcher Nikolai Tschacher contends to have unraveled the second version of Google’s CAPTCHA implementation, known as reCAPTCHA. This system cites a visual puzzle, inquiring users to specify the portions of an image comprising a specific object. Still, there is an audio alternative for visually impaired people that allows them to type in the words they listen to.

    “The idea of the attack is very simple,” says Tschacher in his blog post. “You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API.”

    The report encompasses a video demonstrating how Tschacher’s bot functions. He also said that this attack procedure can even work on the latest version, reCAPTCHA v3. Tschacher brought up that his bot wouldn’t be simple to manipulate at scale for particularly three reasons:

    •  Google rate-limits audio CAPTCHA access.
    • Google is most probably tracking bot metrics. and,
    • It generates a fingerprint of each browsing device to avoid bots.

    “But still, we are approaching a point in time where the Turing Test can be solved by advanced AI, thus making CAPTCHAs harder and harder to implement,” said Tschacher. “CAPTCHAs will be replaced by passive AI that collects all kinds of data to constantly determine if the browsing signal appears to be human or not. The decision will be based on browsing fingerprint, JavaScript user interaction events such as mouse movements and key presses and IP-address metadata.” 


    Google has updated its technology frequently over the last few years to stay one step ahead of researchers. A group at the University of Maryland cracked Google’s system using this similar strategy in 2017. They circulated the code for their strategy, called unCAPTCHA, and Google revamped reCAPTCHA to avoid their algorithm. The update foiled unCAPTCHA, but Tschacher’s technique alters the exact code to make it operate again with a success rate of 97%.

    Google has already enforced behavioral inspection in the recent version of its bot-detection system that assesses how human interactions take place with a website to discover bots. It utilizes a baseline of actual traffic to distinctive websites to deduce what’s normal, enabling it to spot unprecedented activity.

    Recent Articles

    Weekly Newsletter (25th Apr’ 21 to 1st May’ 21)

      Here’s the Weekly Newsletter from 25th April’ 2021 to 1st May’ 2021: 1. Moolympics #3: Diversity, Equity, and Inclusion through UX - Moolya Software Testing Private...

    OpKey University launched to provide advanced automation testing training

      Opkey announced on 26th April 2021 that the company has launched its own "Opkey University". According to OpKey University, software testing is a critical...

    Cypress 7.2.0 released with New Features and Bugfixes recently released Cypress 7.2.0 version, the new version comes with various bug fixes and new features. Users can now navigate through folders in...

    Moolympics #3: Diversity, Equity, and Inclusion through UX

      Moolya Software Testing Private Limited recently launched Moolympics which is a monthly competition series that covers different skills, values, cultures you bring to the...

    Weekly Newsletter (18th Apr’ 21 to 24th Apr’ 21)

      Here’s the Weekly Newsletter from 4th April’ 2021 to 10th April’ 2021: 1. OpKey launches Industry’s First Marketplace for ERP Test Automation - Opkey recently launched...

    Related Stories

    Stay on op - Ge the daily news in your inbox