unCaptcha2 Bypassed Google ReCaptcha with 91% Accuracy

Researchers from the University of Maryland recently break the Google’s
ReCaptcha audio challenge system using new unCaptcha2 with 91% of accuracy.

ReCaptcha is one the most popular system that protects website from bots and challenge that provides “I am not a robot” popups to make sure the website accessing by a real human.

This is one of the widely used system by millions of website in order to protect from bots and now its breaks second time using Google own
speech-to-text service.

Earlier attempt on 2017, unCaptcha bypassed the ReCaptcha
digits chellange with 85% accuracy then later Google fixed and released an update.

Update contain some of the Major changes that includes Better browser automation detection and Spoken phrases rather than digits.

This was initially successful until the new unCaptcha2 break the new system on June 2018, and the unCaptcha2 bypass method shared to the
 Google ReCaptcha team.

unCaptcha2 Demo

unCaptcha2 basically using publicly available speech to text API in order to process the successful audio challenge to achieve 90% of accuracy.

It using a screen clicker to move to certain pixels on the screen and move around the page like a human.

According to the researchers, ” Since every users are different activities
unCaptcha2 has to go to specific coordinates on the screen , so based on the
your setup, coordinates  need to be updated.

There are 6 different simple unCaptcha2 approaches need to follow in order to achive the task.

1. Navigate to Google’s ReCaptcha Demo site
2. Navigate to audio challenge for ReCaptcha
3. Download audio challenge
4. Submit audio challenge to Speech To Text
5. Parse response and type answer
6. Press submit and check if successful

Users can use different speech-to-text API but you need to set your own credentials based on the API you choose.

In this case, some of the best speech-to-text API from Google’s, Microsoft’s, and IBM’s speech-to-text systems are already included in queryAPI.py.

“You’ll have to set the username and password as required; for Google’s API, you’ll have to set an environment variable (GOOGLE_APPLICATION_CREDENTIALS) with a file containing your Google application credentials.”

Now researchers released the code in GitHub since Recaptcha team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.