Google has always been at the forefront when it comes to authentication and security. And thus, with a view for the future of authentication, Google acquired reCAPTCHA in 2009. Like any other product, it had its shortcomings. But little did Google know that a vulnerability, which plagued reCAPTCHA two years ago, will resurface, showing how Google reCAPTCHA authentication can be bypassed successfully by bots.
reCAPTCHA is not Perfect
CAPTCHA enables websites to distinguish between a bot and a human, making it the first line of defense against bot attacks. However, since its implementation just over six years ago, a vulnerability was discovered in its then version reCAPTCHA v2. This exploit termed as unCAPTCHA achieved 85% accuracy in bypassing reCAPTCHA’s speech authentication technique, which was put in place for the visually impaired. This was soon rectified, and a newer version named reCAPTCHA v3 was released in October 2018.
Now, after two years of running trouble-free, another researcher, Nikolai Tschacher, has presented a proof-of-concept that the vulnerability still exists and the audio file of reCAPTCHA can be submitted to Google’s speech-to-text API by a bot for bypassing the authentication. Surprisingly, the security researcher claimed that the accuracy — which was at 85% in 2017 when the vulnerability was first discovered — has now gone up to more than 90%.
How the Google reCAPTCHA Bypass Works
The idea of the attack is simple. You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API, and voila you have the bypass.
– Nikolai Tschacher
To demonstrate the Google reCAPTCHA bypass, the bot must follow these simple steps:
- Navigate to the website having Google’s ReCAPTCHA.
- Navigate to the audio challenge of ReCAPTCHA.
- Hit the download link for the audio challenge.
- Submit the downloaded audio challenge to Google’s Speech-To-Text converter.
- Parse the response and type the answer in the field.
- And Press “Submit” to check if it was successful.
The only problem here is locating the exact mouse pointer to coordinate on the screen so that it could be fed to the bot’s code for performing the clicking action perfectly. However, a demo from the unCAPTCHA2 suggests it could be easily discovered using the shell command “xdotool getmouselocation –shell.” Once the bot locates the mouse pointer’s coordinates it is just a matter of few clicks before the bypass works.
This is a newer version of the older vulnerability and, thus, experts are hoping that Google patches it sooner before it is exploited in the wild.