Shared by the researchers, the PoC of this original research can also be found on the GitHub.įollowing the disclosure of unCaptcha in 2017, Google updated reCaptcha with improved bot detection to thwart the attack. The details of the attacks has been shared by the researchers on the unCaptcha attack official webpage. Initially, researchers from the University of Maryland demonstrated the attack in 2017 with a research paper “ unCaptcha: A Low-resource Defeat of reCaptcha’s Audio Challenge“. To automate this process, the audio payload is programmatically identified on the page and downloaded to be fed into the Google Speech-to-Text API.Īctually, this recently demonstrated attack is not a new discovery. How does It Work?īasically, the attack works by creating an MP3 file of the audio reCAPTCHA and submitting it to the Google Speech-to-Text API. The CAPTCHA technology used by Google is called reCAPTCHA, that is a popular version version of the CAPTCHA technology that was acquired by Google in 2009. Yet for a third type, audio challenges can be used optionally for visually impaired users. For another test type, users are expected to choose correct images out of a variety of other images in response to a test question. To pass the test, users are expected to type the characters they see in distorted image correctly in the text box. This is achieved by a series of challenge and response tests where users are expected to answer correctly.Īs a challenge and response mechanism, a randomly generated sequence of letter and/or numbers that appear as distorted images are displayed to the users. It is a widely used technology to determine whether the user behind a computer is real or a spam robot. Invented in 1997, CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Proof of concept (PoC) of the attack reveals that it work with 97% accuracy. Google Speech-to-Text API Can Be Used to Bypass Google reCAPTCHA: A security researcher has recently demonstrated that Google’s audio reCAPTCHA can be bypassed effectively by using Google’s own Speech-to-Text API.
0 kommentar(er)
