Since its formal introduction, thousands of websites across the internet have used Google’s reCAPTCHA as an effective way to stay away from unwanted robots and crawlers. The reCAPTCHA interface helps the site to confirm if the person accessing the site is human.
Google Audio reCAPTCHA not secure
However, according to Nikolai Tschacher, a researcher, the Speed-to-Text API from Google opens the best way to bypass the reCAPTCHA interface. The digital security expert submitted his PoC findings on the 2nd of January 2021. This is one of the first bold accusations towards the renowned security system, though.
According to Mr. Tschacher, attackers may use a simple-enough procedure to bypass the reCAPTCHA. In case you didn’t know, reCAPTCHA always offers an option to listen to the audio message and extract the hidden characters from the voice instead of looking at the images.
While this is an accessibility-friendly feature, the hacker can download the MP3 file of the audio CAPTCHA and extract the information using Google’s speech-to-text API. Once extracted, hackers could use this information to get away from the reCAPTCHA UI. It’d have taken the hackers a considerable amount of time to do the same with the image-based CAPTCHAs.
Despite being unique, this isn’t the first Proof of Concept from Tschacher’s team to challenge the traditional functioning of Google reCAPTCHA. The team has been working on the topic for some time and made an update to Google in July 2018. The tech giant considered this advice and ensured that the new version could detect and disable bots better.
Nevertheless, in light of what the security researcher has submitted on the 2nd of January 2021, these measures seem to be only half-effective. In fact, even the latest version of the Google reCAPTCHA interface is breakable using the speech-to-text interface.
Tschacher also notes that Google improving bot detection options in reCAPTCHA 3 is a half-baked move as it has set reCAPTCHA 2 as the fallback option. Nevertheless, considering how widespread this service is used, Google will indeed release an update to this security system or at least tweak the speech-to-text API so that it doesn’t promote such a clash of self-interest.