unCAPTCHA: Google rushed to celebrate the security offered by the reCAPTCHA service, a system that automatically recognizes that you are not a bot.
A team of researchers from the University of Maryland developed a new algorithm, called unCAPTCHA. The new algorithm can beat Google's reCAPTCHA system with a success rate of 85 percent. This method exploits a vulnerability in the audio version of reCAPTCHA.
The researchers used browser automation software to analyze the necessary data and determine the numbers announced by Google. They then programmatically transferred these numbers, in order to trick the points that make Google's AI split bots from people.
To make this happen, the AI they developed violates several known flaws in Google's security system to significantly reduce the level of suspicion of reCAPTCHA.
Most strikingly, the researchers used a number of audio transcription services to defeat the system. Surprisingly, these services were from IBM, Google Cloud and Speech Recognition, Sphinx, Wit-AI, but also Bing Speech Recognition. So, in a way, the researchers used Google technology to infringe on Google technology.
Following the revelation of this flaw in the Big G in April, researchers report that the company has added some additional protections that limit the success rate of unCAPTCHA.
"For example, Google has also improved browser automation detection. In addition, we have noticed that some sounds include not only digits but also small excerpts of oral text. ”
Researchers have since released the complete PoC in a paper where you can see all the details [PDF]. The paper was officially presented at the Usenix WOOT '17 which took place in Vancouver.
Watch the video