A team of researchers at the University of Maryland released unCaptcha2 last week, an updated version of their tool Uncaptcha that defeated Google’s reCAPTCHA audio challenge with 85.15% accuracy in 2017. Google’s Audio challenge is aimed at solving reCAPTCHA’s accessibility problem for visually challenged people who can’t see where to “tick the box” to prove that they’re a human and not a robot. Hence, they’re offered an option to listen to the audio and enter what they hear as a response.
UnCaptcha, which was released in 2017, managed to pass the reCAPTCHA audio system by using an approach that involved downloading the audio and segmenting it. These segments were then uploaded to multiple speech-to-text services, which in turn would convert the message.
Finally, the response obtained would be typed into the reCAPTCHA form to solve the challenge. However, after the attack in 2017, Google updated the reCAPTCHA form by introducing changes such as improved browser automation detection and using spoken phrases instead of digits for reCAPTCHA. These changes managed to successfully protect reCAPTCHA from the 2017 unCaptcha attack but failed to protect it from the new unCaptcha2.
“As of June 2018, these challenges have been solved. The reCAPTCHA team..is..fully aware of this attack. The team has allowed us to release the code. The code now only needs to make a single request to a free, publicly available speech to text API (by Google) to achieve around 90% accuracy over all the captchas”, states the team.
UnCaptcha2 makes use of a screen clicker that helps it move to certain pixels on the screen and move around the webpage as a human would. However, this method is not very robust and still needs more working. Also, unCaptcha2 uses a different approach than the first version and no longer requires the use of multiple speech-to-text engines as well as the segmentation approach. UnCaptcha2 involves navigating to Google’s ReCaptcha Demo site, navigating to audio challenge for reCAPTCHA and then downloading the audio challenge. After this step, the audio challenge is submitted to Speech To Text services. Finally, the response obtained is typed in and submitted to solve the challenge.
“unCaptcha2, like the original version, is meant to be a proof of concept. As Google updates its service, this repository will not be updated. As a result, it is not expected to work in the future, and is likely to break at any time,” state the researchers.
*** This is a Security Bloggers Network syndicated blog from Security News – Packt Hub authored by Natasha Mathur. Read the original post at: https://hub.packtpub.com/researchers-release-uncaptcha2-a-tool-that-uses-googles-speech-to-text-api-to-bypass-the-recaptcha-audio-challenge/