Friday, March 29, 2024

unCaptcha2 Bypassed Google ReCaptcha with 91% Accuracy

Researchers from the University of Maryland recently break the Google’s
ReCaptcha audio challenge system using new unCaptcha2 with 91% of accuracy.

ReCaptcha is one the most popular system that protects website from bots and challenge that provides “I am not a robot” popups to make sure the website accessing by a real human.

This is one of the widely used system by millions of website in order to protect from bots and now its breaks second time using Google own
speech-to-text service.

Earlier attempt on 2017, unCaptcha bypassed the ReCaptcha
digits chellange with 85% accuracy then later Google fixed and released an update.

Update contain some of the Major changes that includes Better browser automation detection and Spoken phrases rather than digits.

This was initially successful until the new unCaptcha2 break the new system on June 2018, and the unCaptcha2 bypass method shared to the
 Google ReCaptcha team.

unCaptcha2 Demo

unCaptcha2 basically using publicly available speech to text API in order to process the successful audio challenge to achieve 90% of accuracy.

It using a screen clicker to move to certain pixels on the screen and move around the page like a human.

According to the researchers, ” Since every users are different activities
unCaptcha2 has to go to specific coordinates on the screen , so based on the
your setup, coordinates  need to be updated.

There are 6 different simple unCaptcha2 approaches need to follow in order to achive the task.

  1. Navigate to Google’s ReCaptcha Demo site
  2. Navigate to audio challenge for ReCaptcha
  3. Download audio challenge
  4. Submit audio challenge to Speech To Text
  5. Parse response and type answer
  6. Press submit and check if successful

Users can use different speech-to-text API but you need to set your own credentials based on the API you choose.

In this case, some of the best speech-to-text API from Google’s, Microsoft’s, and IBM’s speech-to-text systems are already included in queryAPI.py.

“You’ll have to set the username and password as required; for Google’s API, you’ll have to set an environment variable (GOOGLE_APPLICATION_CREDENTIALS) with a file containing your Google application credentials.”

Now researchers released the code in GitHub since Recaptcha team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles