Friday, January 24, 2025
HomeBotnetunCaptcha2 Bypassed Google ReCaptcha with 91% Accuracy

unCaptcha2 Bypassed Google ReCaptcha with 91% Accuracy

Published on

SIEM as a Service

Follow Us on Google News

Researchers from the University of Maryland recently break the Google’s
ReCaptcha audio challenge system using new unCaptcha2 with 91% of accuracy.

ReCaptcha is one the most popular system that protects website from bots and challenge that provides “I am not a robot” popups to make sure the website accessing by a real human.

This is one of the widely used system by millions of website in order to protect from bots and now its breaks second time using Google own
speech-to-text service.

Earlier attempt on 2017, unCaptcha bypassed the ReCaptcha
digits chellange with 85% accuracy then later Google fixed and released an update.

Update contain some of the Major changes that includes Better browser automation detection and Spoken phrases rather than digits.

This was initially successful until the new unCaptcha2 break the new system on June 2018, and the unCaptcha2 bypass method shared to the
 Google ReCaptcha team.

unCaptcha2 Demo

unCaptcha2 basically using publicly available speech to text API in order to process the successful audio challenge to achieve 90% of accuracy.

It using a screen clicker to move to certain pixels on the screen and move around the page like a human.

According to the researchers, ” Since every users are different activities
unCaptcha2 has to go to specific coordinates on the screen , so based on the
your setup, coordinates  need to be updated.

There are 6 different simple unCaptcha2 approaches need to follow in order to achive the task.

  1. Navigate to Google’s ReCaptcha Demo site
  2. Navigate to audio challenge for ReCaptcha
  3. Download audio challenge
  4. Submit audio challenge to Speech To Text
  5. Parse response and type answer
  6. Press submit and check if successful

Users can use different speech-to-text API but you need to set your own credentials based on the API you choose.

In this case, some of the best speech-to-text API from Google’s, Microsoft’s, and IBM’s speech-to-text systems are already included in queryAPI.py.

“You’ll have to set the username and password as required; for Google’s API, you’ll have to set an environment variable (GOOGLE_APPLICATION_CREDENTIALS) with a file containing your Google application credentials.”

Now researchers released the code in GitHub since Recaptcha team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

Beware of Fake Captcha Verifications Spreading Lumma Malware

In January, Netskope Threat Labs uncovered a sophisticated global malware campaign leveraging fake CAPTCHA...

KEYPLUG Infrastructure Exposed: Server Configurations and TLS Certificates Revealed

In a recent technical investigation, researchers uncovered critical insights into the infrastructure linked to...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Salt Typhoon Hacked Nine U.S. Telecoms, Tactics and Techniques Revealed

Salt Typhoon, a state-sponsored Advanced Persistent Threat (APT) group linked to the People's Republic...

Murdoc Botnet Exploiting AVTECH Cameras & Huawei Routers to Gain Complete Control

Researchers have identified an active malware campaign involving a Mirai botnet variant, dubbed Murdoc,...

New IoT Botnet Launching Large-Scale DDoS attacks Hijacking IoT Devices

Large-scale DDoS attack commands sent from an IoT botnet's C&C server targeting Japan and...