Sergej Khackimullin - Fotolia

What tools can bypass Google's CAPTCHA challenges?

The ReBreakCaptcha exploit can bypass Google's reCAPTCHA verification system using flaws in Google's own API. Expert Michael Cobb explains how the attack works.

Researchers at East-Ee Security demonstrated a proof-of-concept bypass of Google's reCAPTCHA V2 verification system...

that uses different image, audio or text prompts to verify that a person, as opposed to a bot, is attempting to log in. Their exploit technique, called ReBreakCaptcha, makes use of web-based Google tools to break through Google's system. What are the flaws in Google's API that make this attack possible? What is the threat of bots being able to bypass the Google CAPTCHA?

A CAPTCHA, or a Completely Automated Public Turing Test to Tell Computers and Humans Apart, is used to protect forms on websites from being abused by bots and other nonhuman interactions, the idea being that it poses a test that humans can pass, but that an automated computer program can't.

CAPTCHA challenge tests include image and text challenges, as well as an audio test option to ensure that users with visual impairments can respond. ReCAPTCHA is a free CAPTCHA service provided by Google that enables developers to easily incorporate CAPTCHA functionality into a website.

A post on the East-Ee Security website explained how a proof-of-concept Python script could automate the breaking of reCAPTCHA challenges by using Google's Speech Recognition API.

The blog explains how to force a site to present an audio CAPTCHA challenge and then convert the audio to the correct WAV file format, before sending it to Google's Speech Recognition API. The API response is a string version of the correct answer that can then be used to answer the CAPTCHA challenge. The CAPTCHA bypass script automates the various tasks, and then answers the CAPTCHA in an acceptable period of time without any user intervention. However, according to an update from East-Ee, many users who downloaded the script complained that it failed to correctly solve harder CAPTCHA challenges.

The CAPTCHA bypass script may work on a simple challenge, but if Google suspects a nonhuman interaction, or if the answer to a CAPTCHA comes from a public proxy or IP address that Google has flagged as suspicious, then the reCAPTCHA service presents the user with a harder version of the CAPTCHA challenge. The harder audio challenges include background noise and an overlapping voice.

CAPTCHA example

In an apparent effort to patch the vulnerability, Google has also raised the minimum number of digits used in a challenge from four or five to between 10 and 12, and it immediately switches to more complex challenges when a high-volume attack is identified. Even an updated version of the attack doesn't appear to have fully overcome these harder challenges; some of the harder audio challenges are even difficult for humans to decipher due to the constant hissing noises and overlapping voices.

Attempts to bypass Google's CAPTCHA have been published before -- by Stiltwalker in 2012 and AppSec Labs in 2016 -- and there are various paid-for services that offer to automate the process, like Captcha Solutions, but the success rate of these tools is not known.

Next Steps

Learn about how artificial intelligence chatbots are relevant to enterprises

Find out more about the Google authenticator app

Read how Facebook's Delegated Recovery protocol enables account verification

This was last published in August 2017

Dig Deeper on Identity and access management