Researcher Discover “A logic vulnerability” dubbed ReBreakCaptcha to bypassing Google’s reCAPTCHA fields which is using for prevent from robots and abusive scripts to access sites by using google’s Speech Recognition API.
According to the Security Researcher , a bypass Technique called ReBreakCaptcha which is used for bypass Google’s ReCaptcha v2 anywhere on the web.
The proof-of-concept code the researcher released allows attackers to automate the process of bypassing reCAPTCHA fields, currently used on millions of sites to keep out spam bots.
Researcher explained in East-Ee Security , ReBreakCaptcha works in three stages ,
- Audio Challenge – Getting the correct challenge type.
- Recognition – Converting the audio challenge audio and sending it to Google’s Speech Recognition API.
- Verification – Verifying the Speech Recognition result and bypassing the ReCaptcha.
As per the Explantion give by the East-Ee Security , 3 Types of ReBreakCaptcha challenges has bee performed in this task .
The challenge contains a description and an image which consists of 9 sub-images. The user is requested to select those sub-images that best match the given description.
The challenge contains an audio recording, The user is requested to enter the digits that are heard.
Now we have the audio challenge Recognition file and are ready to send it to Google Speech Recognition. How can this be done? Using their API.
The challenge contains a category and 5 candidate phrases. The user is requested to select those phrases which best match the given category.
The [verification] stage is fairly short.
“All we need to do now is to copy-paste the output string from Stage 2 into the text box and click ‘Verify’ on the ReCaptcha widget. That’s right, we now semi-automatically used Google’s Services to bypass another service of its own.”
ReBreakCaptcha vulnerability still unpatched by Google
East-EE has named this assault ReBreakCaptcha, and he says he found this weakness in 2016. Today, when he opened up to the Public about his research, he said the vulnerability was still unpatched .
Researcher released allows attackers to automate the process of bypassing reCAPTCHA fields, currently used on millions of sites to keep out spam bots by proof-of-concept code which is written by python and available in Github .
Also Read :