A security researcher has revealed a “logic vulnerability” within Google’s reCAPTCHA fields which allowed him to bypass the software using the search giant’s own speech recognition API.
Researcher East-EE outlined the so -called ‘ReBreakCaptcha’ flaw on GitHub, explaining how he first discovered it last year and that, as of Tuesday, the vulnerability remained unpatched.
He released a proof-of concept script on GitHub using the Python programming language, which allows attackers to automatically bypass reCAPTCHA fields used to protect websites from spam and bot traffic.
ReBreakCaptcha works in three stages. The first involves making sure the correct challenge type is displayed, i.e. an audio challenge.
reCaptcha always presents one of three possible challenges: Image, where the user is requested to select from a set of images based on a given description; Audio, where the user is required to enter the digits heard from an audio recording; or text, where a category and five candidate phrases are provided and the user must select the phrases which best match the category.
When presented with either an Image or Text challenge, simply clicking on the headphone icon or selecting the ‘Reload Challenge’ button will generate an Audio challenge which “can be easily bypassed”.
The next step involves “taking advantage of one Google service to beat another Google service”. The audio file provided needs to be downloaded, converted into a ‘wav’ format and sent to Google’s speech recognition API.
“There is a great Python library named ‘SpeechRecognition’ for performing speech recognition, with support for several engines and APIs, online and offline,” East-EE says. “We will use this library implementation of Google Speech Recognition API.
“We will send the ‘wav’ audio file and the Speech Recognition will send us back the result in a string (e.g. ‘25143’). This result will be the solution to our audio challenge.”
Finally, by simply pasting the output string into the reCaptcha textbox and clicking ‘Verify,’ the service can be bypassed.
East-EE doesn’t make it clear if Google is aware of the vulnerability. Silicon has contacted Google for comment and will update this page as soon as we receive a response.