UnCAPTCHA attack updated to bypass spoken phrases

Google updated its reCAPTCHA systems to make it more difficult to bypass, but researchers have updated a proof-of-concept attack to solve the new challenges.

The reCAPTCHA system developed by Google asks users to solve challenges -- identifying words, the contents of images or audio clips -- to determine if a human or a bot is attempting to use a website. The unCAPTCHA attack is an automated system developed by researchers at the University of Maryland that uses speech-to-text services from Google, Microsoft and IBM to correctly solve audio reCAPTCHA challenges. The original version of unCAPTCHA, created in April 2017, could solve audio challenges with an 85% accuracy rate.

At the time, audio reCAPTCHA used strings of numbers as the challenge, but in 2018, Google changed the system to use spoken phrases rather than digits. The research team developed the version of unCAPTCHA, dubbed unCAPTCHA2, which boasts a 90% success rate. The team disclosed the new version to Google in June but were told it was "out of scope for the bug bounty program."

"We contacted the reCAPTCHA team in June 2018 to alert them that the updates to the reCAPTCHA system made it less secure, and a formal issue was opened on June 27th, 2018. We demonstrated a fully functional version of this attack soon thereafter," the researchers wrote in the unCAPTCHA GitHub readme. "We chose to wait 6 months after the initial disclosure to give the reCAPTCHA team time to address the underlying architectural issues in the reCAPTCHA system. The reCAPTCHA team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate."

Jeremiah Grossman, founder of WhiteHat Security, said that if unCAPTCHA can solve a challenge with such a high success rate, "it's either a vulnerability or a fundamental flaw in the entire product."

"Talk about irony! Leveraging Google's audio transcription to bypass their audio CAPTCHA. That said, there's been several tools and services available to solve Google's CAPTCHA for quite a number of years," Grossman said. "All the while adversaries have consistently demonstrated their ability to do so easily and cheaply. With this context, this latest 'security' issue is more humorous than it is surprising. It's happened before, it's happening now, and highly likely to happen again."

Ryan Wilk, vice president of customer success at NuData Security, said reCAPTCHA "is only one piece of the authentication puzzle."

"If CAPTCHA is the only security layer, once the puzzle is broken, then the bad actor has won," Wilk said. "To effectively solve the issue of automation attacks without creating a challenging customer experience, companies will need to implement a passive layered security solution, using behavioral analytics and passive biometrics, to accurately identify if the user is a human or a machine." 

Google did not respond to requests for comment at the time of this post, but in October the company announced plans for reCAPTCHA v3, which would do away with challenge questions and instead use a trust score to determine the difference between humans and bots.