Thursday, March 28, 2024

unCaptcha2 Bypassed Google ReCaptcha with 91% Accuracy

Researchers from the University of Maryland recently break the Google’s
ReCaptcha audio challenge system using new unCaptcha2 with 91% of accuracy.

ReCaptcha is one the most popular system that protects website from bots and challenge that provides “I am not a robot” popups to make sure the website accessing by a real human.

This is one of the widely used system by millions of website in order to protect from bots and now its breaks second time using Google own
speech-to-text service.

Earlier attempt on 2017, unCaptcha bypassed the ReCaptcha
digits chellange with 85% accuracy then later Google fixed and released an update.

Update contain some of the Major changes that includes Better browser automation detection and Spoken phrases rather than digits.

This was initially successful until the new unCaptcha2 break the new system on June 2018, and the unCaptcha2 bypass method shared to the
 Google ReCaptcha team.

unCaptcha2 Demo

unCaptcha2 basically using publicly available speech to text API in order to process the successful audio challenge to achieve 90% of accuracy.

It using a screen clicker to move to certain pixels on the screen and move around the page like a human.

According to the researchers, ” Since every users are different activities
unCaptcha2 has to go to specific coordinates on the screen , so based on the
your setup, coordinates  need to be updated.

There are 6 different simple unCaptcha2 approaches need to follow in order to achive the task.

  1. Navigate to Google’s ReCaptcha Demo site
  2. Navigate to audio challenge for ReCaptcha
  3. Download audio challenge
  4. Submit audio challenge to Speech To Text
  5. Parse response and type answer
  6. Press submit and check if successful

Users can use different speech-to-text API but you need to set your own credentials based on the API you choose.

In this case, some of the best speech-to-text API from Google’s, Microsoft’s, and IBM’s speech-to-text systems are already included in queryAPI.py.

“You’ll have to set the username and password as required; for Google’s API, you’ll have to set an environment variable (GOOGLE_APPLICATION_CREDENTIALS) with a file containing your Google application credentials.”

Now researchers released the code in GitHub since Recaptcha team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles