Audio Version of Google’s reCAPTCHA System Using Speech-to-Text Services Resurrected


An attack technique found in 2017 has once again been revived to beat the audio version of Google’s reCAPTCHA scheme using speech-to-text services.

In 2017, a team of researchers from the University of Maryland found that online speech-to-text services could be used with a high degree of precision to overcome reCAPTCHA v2 audio challenges automatically. The assault was called UnCaptcha by researchers.

Google introduced several improvements to the reCAPTCHA scheme after the process was revealed and unCaptcha no longer functioned. In January 2019, however, researchers declared that they had managed to revive the attack, called it unCaptcha2, and published the proof-of-concept (PoC) code with the permission of Google.

The researchers noted at the time that they would not be upgrading their code and that at some stage it would actually stop running.

As planned, the PoC did stop running, but Germany-based researcher Nikolai Tschacher has managed to tweak the PoC for unCaptcha2 to make it function against the new version of reCAPTCHA v2. Tschacher released a video demonstrating how a bot can use Google’s own speech-to-text API with an accuracy of 97 percent to solve the audio reCAPTCHA.

In 2018, Google released reCAPTCHA v3, which strengthens user experience by running adaptive risk analysis in the background rather than showing difficulties, but Tschacher points out that “reCAPTCHA v2 is still used as a fall-back mechanism in the new reCAPTCHA v3.”

The writer, along with a description of the improvements he made in unCaptcha3 relative to unCaptcha2, released the PoC code.

It is worth noting that some have developed free web browser extensions that enable users use the unCaptcha approach to fix reCAPTCHA problems instantly with the click of a button.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.