unCAPTCHA3 evades Google Audio reCAPTCHA with Speech-to-Text API

While CAPTCHAs still supposedly serve to distinguish between human users and automated traffic, one more time, a bypass has appeared. A researcher has devised a strategy, dubbed unCAPTCHA3, to bypass Google Audio reCAPTCHA using Google’s own Speech-to-Text API.

unCAPTCHA3 to bypass Google Audio reCAPTCHA

Security researcher Nikolai Tschacher has found how to evade Google Audio reCAPTCHA check really quick. All it takes is to use Google’s own Speech-to-Text API to solve the audio reCAPTCHA.

Bypassing Google reCAPTCHA isn’t anything new. The first bypass emerged back in 2017, dubbed unCAPTCHA. While Google resolved the issue with reCAPTCHA v2, another bypass appeared in 2019, dubbed as UnCAPTCHA2.

Google also resolved the evasion with the release of reCAPTCHA v3. However, the researcher Tschacher explained that Google still uses reCAPTCHA v2 as a fallback mechanism for v3.

Hence, despite that unCAPTCHA2 no more works correctly, Tschacher’s strategy makes it work once again. The new technique, dubbed unCAPTCHA3 is a modification of unCAPTCHA2. The researcher has shared the PoC code here on GitHub.

Whereas, regarding the attack strategy, the researcher stated in his blog post,

The idea of the attack is very simple: You grab the mp3 file of the audio reCAPTCHA and you submit it to Google’s own Speech to Text API.
Google will return the correct answer in over 97% of all cases.

Although, Google has removed the option to download the reCAPTCHA audio file.

However, unCAPTCHA3 resolves this problem.

The following video demonstrates the reCAPTCHA bypass.

For now, the attack seems working and Google hasn’t developed a fix for it yet.

Nonetheless, the researcher explained that Google doesn’t frequently serve audio reCAPTCHAs. And repeated requests for audio reCAPTCHAs, particularly for signed-out users, may even make Google block the user.

However, careful use of the technique may allow a successful bypass of audio reCAPTCHAs in most cases.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients