A former attack method that began in 2017, that utilizes voice-to-text to evade CAPTCHA protection turns out to be still working on Google’s latest reCAPTCHA v3, according to researcher Nikolai Tschacher. CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. It utilizes puzzles that solely humans can decipher to avoid automated bots from ratifying into accounts or registering for fresh ones. reCAPTCHA is Google’s term for its technology and free service that utilizes image, text, or audio challenges to ascertain that only a human can sign in to an account.
Researcher Nikolai Tschacher contends to have unraveled the second version of Google’s CAPTCHA implementation, known as reCAPTCHA. This system cites a visual puzzle, inquiring users to specify the portions of an image comprising a specific object. Still, there is an audio alternative for visually impaired people that allows them to type in the words they listen to.
“The idea of the attack is very simple,” says Tschacher in his blog post. “You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API.”
The report encompasses a video demonstrating how Tschacher’s bot functions. He also said that this attack procedure can even work on the latest version, reCAPTCHA v3. Tschacher brought up that his bot wouldn’t be simple to manipulate at scale for particularly three reasons:
- Google rate-limits audio CAPTCHA access.
- Google is most probably tracking bot metrics. and,
- It generates a fingerprint of each browsing device to avoid bots.
“But still, we are approaching a point in time where the Turing Test can be solved by advanced AI, thus making CAPTCHAs harder and harder to implement,” said Tschacher. “CAPTCHAs will be replaced by passive AI that collects all kinds of data to constantly determine if the browsing signal appears to be human or not. The decision will be based on browsing fingerprint, JavaScript user interaction events such as mouse movements and key presses and IP-address metadata.”
CAPTCHA, ReCAPTCHA, UnCAPTCHA
Google has updated its technology frequently over the last few years to stay one step ahead of researchers. A group at the University of Maryland cracked Google’s system using this similar strategy in 2017. They circulated the code for their strategy, called unCAPTCHA, and Google revamped reCAPTCHA to avoid their algorithm. The update foiled unCAPTCHA, but Tschacher’s technique alters the exact code to make it operate again with a success rate of 97%.
Google has already enforced behavioral inspection in the recent version of its bot-detection system that assesses how human interactions take place with a website to discover bots. It utilizes a baseline of actual traffic to distinctive websites to deduce what’s normal, enabling it to spot unprecedented activity.
