According to researchers, the idea of the attack is to grab the MP3 file of the audio reCAPTCHA and submit it to Google’s own Speech to Text API.
Exploit and patch – a neverending story in the cybersecurity world, sometimes with exactly the same flaws. In the latest, we have a story concerning a Google reCaptcha exploit which was found over 3 years ago in 2017 by researchers belonging to the University of Maryland.
The exploit used a speech to text mechanism in order to override any audio challenges (for visually impaired people) that the ReCaptcha threw at it making it possible for automated scripts to bypass such barriers. It was called Uncaptcha, and Google shortly afterward patched it.
But then again in 2019, editing the original exploit and dubbed as uncaptcha 2, it was up and running again with a proof-of-concept showcasing exactly how. This was rendered ineffective as well after a while since the researchers did not continue to update their exploit.
Now, coming to 2021, we have news that another researcher named Nikolai Tschacher has changed the code for UnCaptcha 2 which makes it work against Google’s current reCaptcha V2. Some may think that with the release of reCaptcha V3, this is irrelevant but that would be untrue since a large number of websites still use the former version.
Talking about how he did it, in his own words, the audio that is given by Google for the captcha challenge is taken in Mp3 form and then submitted to “Google’s own Speech to Text API” which translates it into text with a 97% accuracy.
In a blog post, the researcher stated that:
The idea of the attack is very simple: You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API. Google will return the correct answer in over 97% of all cases.
Proof of Concept
To conclude, Google should patch this as well but once and for all now considering that the same flaw has been exploited again and again over the years. The above video serves as a testament to how easy it can be to do so and if not anything, kudos to the researcher for coming up with an effective yet simple trick to make the exploit work.