A former attack method that began in 2017, that utilizes voice-to-text to evade CAPTCHA protection turns out to be still working on Google’s latest reCAPTCHA v3, according to researcher Nikolai Tschacher. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It utilizes puzzles that solely humans can decipher to avoid automated bots from ratifying into accounts or registering for fresh ones. reCAPTCHA is Google’s term for its technology and free service that utilizes image, text, or audio challenges to ascertain that only a human can sign in to an account.
Researcher Nikolai Tschacher contends to have unraveled the second version of Google’s CAPTCHA implementation, known as reCAPTCHA. This system cites a visual puzzle, inquiring users to specify the portions of an image comprising a specific object. Still, there is an audio alternative for visually impaired people that allows them to type in the words they listen to.
“The idea of the attack is very simple,” says Tschacher in his blog post. “You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API.”
The report encompasses a video demonstrating how Tschacher’s bot functions. He also said that this attack procedure can even work on the latest version, reCAPTCHA v3. Tschacher brought up that his bot wouldn’t be simple to manipulate at scale for particularly three reasons:
- Google rate-limits audio CAPTCHA access.
- Google is most probably tracking bot metrics. and,
- It generates a fingerprint of each browsing device to avoid bots.
CAPTCHA, ReCAPTCHA, UnCAPTCHA
Google has updated its technology frequently over the last few years to stay one step ahead of researchers. A group at the University of Maryland cracked Google’s system using this similar strategy in 2017. They circulated the code for their strategy, called unCAPTCHA, and Google revamped reCAPTCHA to avoid their algorithm. The update foiled unCAPTCHA, but Tschacher’s technique alters the exact code to make it operate again with a success rate of 97%.
Google has already enforced behavioral inspection in the recent version of its bot-detection system that assesses how human interactions take place with a website to discover bots. It utilizes a baseline of actual traffic to distinctive websites to deduce what’s normal, enabling it to spot unprecedented activity.