Make a system which automatically reroutes captchas annoying you to users who want to watch porn.
Some had little tweaks, some had newer mechanisms.ġ0/2017 (After this publication Google decided to upgrade audio challenges from digits audio to phrases audio) Through the coming years, a lot of researchers based their research on mine (with one team even writing their thesis upon this concept). Started fiddling around with splitting the audio digits using the silence between, but had lower success rates (less than the original 97%) – so decided to leave it at that. I declared the PoC as non-operational anymore. They also contained background noise so bad, it sometimes was impossible to solve manually. Those harder-to-solve audio challenges were longer (10-12 digits). They replaced the easy-to-solve audio challenges (4-5 digits) to a much harder variant after only a few audio solves. It was brought to Google’s attention that the PoC was live on GitHub so they took action.
It’s been 5 years, so I decided to revisit this project and check it out.Īs of the time of posting (), it is confirmed that this vulnerability still works with some minor changes to the code with 98% success rate – better than the original! Backstoryįew days after publishing the original post, it got a lot of traffic and made headlines. The previous post promted Google to respond quickly, and heavy measures were made to prevent it in the short-term.
Therefore, we need a methodology of how to get an audio challenge every time. Re-ReBreakCaptcha knows how to solve ReCaptcha v2 audio challenges, using Google’s own services! The user is requested to select those sub-images that best match the given description.Īudio Challenge – The challenge contains an audio recording, The user is requested to enter the words that are heard. Image Challenge – The challenge contains a description and an image which consists of 16 sub-images. There are two types of ReCaptcha v2 challenges: We’ll focus on the first type, as it has all the challenges. V2 has two types: “I’m not a robot” Checkbox, and Invisible reCAPTCHA badge. V3 Is not our focus in this post, as it has no user interaction at all and only results in a score without a CAPTCHA challenge. Many of us know of ReCaptcha, Google’s Human Recognition Program. TL DR A logic vulnerability working 5 years later, dubbed ReBreakCaptcha, which lets you easily bypass Google’s ReCaptcha v2 anywhere on the web.