unCaptcha2 Bypassed Google ReCaptcha with 91% Accuracy

Researchers from the University of Maryland recently break the Google’s
ReCaptcha audio challenge system using new unCaptcha2 with 91% of accuracy.

ReCaptcha is one the most popular system that protects website from bots and challenge that provides “I am not a robot” popups to make sure the website accessing by a real human.

This is one of the widely used system by millions of website in order to protect from bots and now its breaks second time using Google own
speech-to-text service.

Earlier attempt on 2017, unCaptcha bypassed the ReCaptcha
digits chellange with 85% accuracy then later Google fixed and released an update.

Update contain some of the Major changes that includes Better browser automation detection and Spoken phrases rather than digits.

This was initially successful until the new unCaptcha2 break the new system on June 2018, and the unCaptcha2 bypass method shared to the
 Google ReCaptcha team.

unCaptcha2 Demo

unCaptcha2 basically using publicly available speech to text API in order to process the successful audio challenge to achieve 90% of accuracy.

It using a screen clicker to move to certain pixels on the screen and move around the page like a human.

According to the researchers, ” Since every users are different activities
unCaptcha2 has to go to specific coordinates on the screen , so based on the
your setup, coordinates  need to be updated.

There are 6 different simple unCaptcha2 approaches need to follow in order to achive the task.

  1. Navigate to Google’s ReCaptcha Demo site
  2. Navigate to audio challenge for ReCaptcha
  3. Download audio challenge
  4. Submit audio challenge to Speech To Text
  5. Parse response and type answer
  6. Press submit and check if successful

Users can use different speech-to-text API but you need to set your own credentials based on the API you choose.

In this case, some of the best speech-to-text API from Google’s, Microsoft’s, and IBM’s speech-to-text systems are already included in queryAPI.py.

“You’ll have to set the username and password as required; for Google’s API, you’ll have to set an environment variable (GOOGLE_APPLICATION_CREDENTIALS) with a file containing your Google application credentials.”

Now researchers released the code in GitHub since Recaptcha team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

1 day ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

1 day ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

1 day ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

1 day ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

2 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

3 days ago