![]() TL;DR A logic vulnerability, dubbed ReBreakCaptcha, which lets you easily bypass Google’s ReCaptcha v2 anywhere on the web. Overview Back in 2016, I started poking around to see how hard it would be for a threat actor to find a new method that bypasses Google’s ReCaptcha v2. It would be ideal if it worked in any environment, rather than being tailored to fit a specific use case. I would like to introduce you to ReBreakCaptcha – a brand new bypassing technique for Google’s ReCaptcha v2. ReBreakCaptcha works in three stages: • Audio Challenge – Getting the correct challenge type. • Recognition – Converting the audio challenge audio and sending it to Google’s Speech Recognition API. • Verification – Verifying the Speech Recognition result and bypassing the ReCaptcha. As of the time of posting, it is confirmed that this vulnerability still works. ReBreakCaptcha Stage 1: Audio Challenge There are three types of ReCaptcha v2 challenges: • Image Challenge – The challenge contains a description and an image which consists of 9 sub-images. The user is requested to select those sub-images that best match the given description. • Audio Challenge – The challenge contains an audio recording, The user is requested to enter the digits that are heard. • Text Challenge – The challenge contains a category and 5 candidate phrases. The user is requested to select those phrases which best match the given category. ReBreakCaptcha knows how to solve ReCaptcha v2 audio challenges. Therefore, we need a methodology of how to get an audio challenge every time. When clicking the “I’m not a robot” checkbox of ReCaptcha v2, we are often presented with the following challenge type: Figure 1: Image Challenge To get an audio challenge we need to click the following button: Figure 2: The Audio Challenge Button Then we are presented with an audio challenge that can be easily bypassed: Figure 3: Audio Challenge Some of you may notice that instead of an audio challenge, sometimes you get a text challenge like so: Figure 4: Text Challenge To bypass it and get an audio challenge, you simply click the ‘Reload Challenge’ button until you get the correct type. If you've turned on 2-Step Verification and are trying to sign in to your Google Account through a device, mobile app, or desktop app, you'll need to enter an App Password. You'll need to create a different App Password for each device or application you'd like to use with your Google Account. Google Captcha authentication methods have been quite complicated since 3rd December 2014 because many webmasters have started finding out a solution on how to solve the new No Captcha ReCaptcha. Websites which use the new API many users will be able to safely and easily verify that they are human without having the need to solve the Captcha. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message.' The Reload-Challenge button: Figure 5: Get New Challenge Button What was our goal? To bypass the ReCaptcha. Can we do this? Google Speech Recognition API! ReBreakCaptcha Stage 2: Recognition Now comes the fun part, taking advantage of one Google’s service to beat another Google’s service! Let’s get back to the audio challenge (Figure 3). As you can see, the controls on this challenge page are: 1. A play button – to hear the challenge. A textbox – for user input. A download button – to download the audio challenge. How To Do A Captcha![]() How To Crack Google Captcha 2 MistakeLet’s download the audio file and send it to Google Speech Recognition API. Before doing so, we will convert it to a ‘wav’ format which is requested by Google’s Speech Recognition API. Now we have the audio challenge file and are ready to send it to Google Speech Recognition. How can this be done? Using their API. There is a great Python library named for performing speech recognition, with support for several engines and APIs, online and offline. How To Skip CaptchaWe will use this library implementation of Google Speech Recognition API. We will send the ‘wav’ audio file and the Speech Recognition will send us back the result in a string (e.g. This result will be the solution to our audio challenge. How To Crack Google Captcha 2ReBreakCaptcha Stage 3: Verification This stage is fairly short. All we need to do now is to copy-paste the output string from Stage 2 into the textbox, and click ‘Verify’ on the ReCaptcha widget. That’s right, we now semi-automatically used Google’s Services to bypass another service of its own. ReBreakCaptcha Complete Proof-Of-Concept I have proceeded and made a complete POC script using Python. ![]() It utilizes all of the presented stages of the technique for a fully-automated bypass of ReCaptcha v2. Link to the GitHub repository: 3/2/2017- Update: It has come to my attention that a lot of people encounter a harder version of the audio challenge. Therefore, I have commited a workaround to the GiHub Repo that should overcome this situation, though at a lower success rate compared to the original easier audio challenges. It is still not fully clear how this harder version is triggered, but the number one reason suspected is when your IP is suspicious to Google.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |