Categories: Security

Researcher Uses Google Speech Recognition To Bypass Google reCAPTCHA

A security researcher has revealed a “logic vulnerability” within Google’s reCAPTCHA fields which allowed him to bypass the software using the search giant’s own speech recognition API.

Researcher East-EE outlined the so -called ‘ReBreakCaptcha’ flaw on GitHub, explaining how he first discovered it last year and that, as of Tuesday, the vulnerability remained unpatched.

He released a proof-of concept script on GitHub using the Python programming language, which allows attackers to automatically bypass reCAPTCHA fields used to  protect websites from spam and bot traffic.

reCAPTCHA flaw

ReBreakCaptcha works in three stages. The first involves making sure the correct challenge type is displayed, i.e. an audio challenge.

reCaptcha always presents one of three possible challenges: Image, where the user is requested to select from a set of images based on a given description; Audio, where the user is required to enter the digits heard from an audio recording; or text, where a category and five candidate phrases are provided and the user must select the phrases which best match the category.

When presented with either an Image or Text challenge, simply clicking on the headphone icon or selecting the ‘Reload Challenge’ button will generate an Audio challenge which “can be easily bypassed”.

The next step involves “taking advantage of one Google service to beat another Google service”. The audio file provided needs to be downloaded, converted into a ‘wav’ format and sent to Google’s speech recognition API.

“There is a great Python library named ‘SpeechRecognition’ for performing speech recognition, with support for several engines and APIs, online and offline,” East-EE says. “We will use this library implementation of Google Speech Recognition API.

“We will send the ‘wav’ audio file and the Speech Recognition will send us back the result in a string (e.g. ‘25143’). This result will be the solution to our audio challenge.”

Finally, by simply pasting the output string into the reCaptcha textbox and clicking ‘Verify,’ the service can be bypassed.

East-EE doesn’t make it clear if Google is aware of the vulnerability. Silicon has contacted Google for comment and will update this page as soon as we receive a response.

Quiz: What do you know about Google and Alphabet?

Sam Pudwell

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

Recent Posts

Google Fiber Plans US Network Expansion – Report

Google Fiber resurfaces. Network to be expanded to offer speedy internet connectivity to cities in…

13 hours ago

Samsung Unveils Two New Folding Smartphones

Foldable updates from Samsung. include new versions of its pocket sized square (Galaxy Z Flip…

14 hours ago

Elon Musk Sells Tesla Shares Worth $6.9 Billion

Tesla CEO Elon Musk admits he could need the funds if he loses legal showdown…

15 hours ago

Facebook At Centre Of US Teenager Home Abortion Case

Court documents show Facebook provided police in the US state of Nebraska with a teenager's…

17 hours ago

President Biden Signs $53 Billion US Chips Act

President Joe Biden signs landmark bill to encourage chip makers to build more semiconductor manufacturing…

18 hours ago

WhatsApp Update To Allow Users To Leave Groups Silently

Privacy changes to WhatsApp. No more blanket notifications to a group if a user decides…

19 hours ago