The unCaptcha automated system can once again bypass Google’s reCAPTCHA challenges, despite major updates to the security service.
UnCaptcha was developed in 2017 by researchers at the University of Maryland to bypass the reCAPTCHA mechanism used to protect websites from automated account creation. The system achieved 85 percent accuracy defeating Google's ReCaptcha.
Subsequently, Google released an update to ReCaptcha that featured better browser automation detection and spoken phrases rather than digits.
But now researchers have modified the system to defeat the latest version of ReCaptcha, claiming they have done it with 91 percent accuracy. The modified system can now bypass audio challenges presented by reCAPTCHA.
According to the researchers, the system downloads the audio challenge, runs it through a speech to text API. UnCaptcha then parses the response, enters the answer in the text field, presses the submit button and checks if the response was successful.
Researchers have since shared their findings with the Google ReCaptcha team, which after six months authorised them to release the code.
"We chose to wait six months after the initial disclosure to give the Recaptcha team time to address the underlying architectural issues in the Recaptcha system. The Recaptcha team is aware of this attack vector, and have confirmed they are okay with us releasing this code, despite its current success rate," the researchers said in a posting on GitHub.
"This attack vector was deemed out of scope for the bug bounty programme."
Researchers said that this new variant will not be updated when Google updates its service.
"Unfortunately, due to Google's work in browser automation detection, this version of unCaptcha does not use Selenium. As a result, the code has to navigate to specific parts of the screen. To see unCaptcha working for yourself, you will need to change the coordinates for your screen resolution."
Researchers have also removed their API keys from all the necessary queries.
Ryan Wilk, vice president at NuData Security, told SC Media UK that this helps to show that Captcha in and of itself is only one piece of the authentication puzzle.
"If Captcha is the only security layer, once the puzzle is broken, then the bad actor has won. To effectively solve the issue of automation attacks without creating a challenging customer experience, companies will need to implement a passive layered security solution, using behavioural analytics and passive biometrics, to accurately identify if the user is a human or a machine. If the sole source of identifying and mitigating automation is a shallow captcha puzzle with no intelligence behind it, get ready for 67 percent plus of all automation to get past security controls with ease," he said.
Jake Moore, cyber security expert at ESET UK, told SC Media UK that it is ironic that the acronym for CAPTCHA is ‘Completely Automated Public Turing Test to Tell Computers and Humans Apart’ but it doesn’t work all the time.
"Having said this, it is still far better than nothing when it comes to shielding out those pesky bots. People inherently want speed when it comes to the internet and so unCaptcha was a great way of simply clicking to get through to the next page. Introducing speech may not always be the answer as I doubt everyone would be comfortable saying random numbers out loud to enter a site. However, one alternative, albeit a few seconds slower, would be to have 2FA earlier set up per account using established authenticator apps," he said.