unCAPTCHA Breaks 450 ReCAPTCHAs in Under 6 Seconds

Captcha challenge is the first line of defense to protect the website against attacks, it challenges to prove that you are the human user.

Google’s ReCaptcha was introduced in 2014 and it is used by the significant number of users and it relies on advanced risk analysis engine and it offers audio and image captcha, here security researchers took audio captcha to attack.

unCAPTCHA is the name of a new automated system designed by a team of four computer science experts from the University of Maryland (UM) that can break Google’s reCAPTCHA challenges with an accuracy of 85%.

The system doesn’t target reCAPTCHA’s image-based challenges, but the audio version that Google added so people with disabilities can solve its puzzle.

How unCaptcha works – Captcha

unCAPTCHA works by downloading this audio puzzle and feeding it to six text-to-speech (TTS) systems, aggregating the results, and feeding most probable answer back to Google’s servers.

It is completely automated, they obtain audio samples and separated into segments for sound bites analysis and uploads to online speech recognization services like (IBM, Google Cloud, Google Speech Recognition, Sphinx, Wit-AI, Bing Speech Recognition).

Watch the Video Demonstration below:

Tests carried out by researchers show that unCAPTCHA can break 450 reCAPTCHA challenges with an 85.15% accuracy in 5.42 seconds, which is less time than a human needs to listen to one reCAPTCHA audio challenge.

unCAPTCHA available on GitHub

UM researchers published the code for unCAPTCHA on GitHub.

unCAPTCHA is not the first system of its kind. In March, a researcher published ReBreakCaptcha, almost identical to unCAPTCHA. The difference is that UM researchers notified Google of their work in advance, and the company worked to improve reCAPTCHA.

“Since that time, reCaptcha appears to include some additional protections that limit unCaptcha’s success,” researchers say.

“For instance, Google has also improved their browser automation detection,” the team added. “This means that Selenium cannot be used in its current state to get captchas from Google. This may lead to Google sending odd audio segments back to the end user. Additionally, we have observed that some audio challenges include not only digits, but small snippets of spoken text.”

AI bot also broke reCAPTCHA last week

Also last week, researchers announced they created an AI bot that works similarly to the human eye and can also break various CAPTCHA systems with high accuracy. More specifically, this new system solved Google reCAPTCHAs with 66.6% accuracy, BotDetect with 64.4%, Yahoo with 57.4%, and PayPal image challenges with 57.1%.

Bleeping Computer readers can read more about this new reCAPTCHA breaker in a research paper entitled “unCaptcha: A Low-resource Defeat of reCaptcha’s Audio Challenge,” available for download here and here. The research paper was also part of the Usenix Workshop on Offensive Technologies (WOOT) 2017 that took place this August.

Credit: Bleepingcomputer


Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *