A new algorithm called unCAPTCHA has been developed by researchers from the University of Maryland. It can defeat the reCAPTCHA system developed by Google to boost its AI security. The reason behind the development of reCAPTCHA was to avoid ticking of the box in reCAPTCHA boxes to prove that you are not a bot.
The system was believed to be pretty successful, but University of Maryland researchers have burst the bubble for Google by introducing an unCAPTCHA system with a success rate of 85%. The method can compromise the reCAPTCHA system by exploiting a flaw in its audio version.
According to researchers, it requires browser automation software to easily analyze the numbers programmatically to fool target sites to believe that the bot is a human. unCAPTCHA, explains research team targets the popular website Reddit by exploring the motions of new user creation and stopping before it is created to lessen the impact on Reddit. Various previously identified vulnerabilities in Google’s security system are exploited to abuse the AI and undermine the “suspicion level” of reCAPTCHA considerably.
Moreover, a series of audio transcription services were used by the team to defeat reCAPTCHA including IBM, Speech Recognition, Google Cloud, Wit-AI, Sphinx and Bing Speech Recognition. The flaw was disclosed in April, and it is evident that Google has implemented additional security measures to restrict the success rate of unCAPTCHA. For example, the company has improved the automation detection mechanism of its browser, which helps in sending back “odd audio segments” back to the end user.
The complete proof of concept [PDF] was presented as a slide at the Usenix WOOT 2017 conference held in Vancouver and has already been released as a paper that can be viewed here. Watch how it’s done in the following video: