A researcher has found a vulnerability in the latest version of reCAPTCHA that could potentially let spambots bypass reCAPTCHA fields across millions of sites. Catalin Cimpanu over at Bleeping Computer has the details.
The developer going under the name ‘east-ee’ has developed a script that uses Google’s own speech recognition API to solve audio challenges associated with the latest version (v2) of reCAPTCHA. The Python script is now available on Github, although east-ee claims he spotted the bug back in 2016.
The script only works for the latest version, which uses audio challenges as a backup check if you click a button at the bottom of the reCAPTCHA pop-up. The fatal flaw in the design is that Google gives users on older browsers the option to download the audio. This allowed east-ee to download the audio to memory and then use Google’s own speech recognition API to get the correct transcription, which could then be posted back to solve the captcha.
Catalin notes that this is not the first time researchers have bypassed Google and Facebook’s captcha tech. Three researchers in April last year were able to fool both tech giants in over 70% of cases. Google is however working on reCAPTCHA v3 which will hopefully patch the latest vulnerability.