Google Recaptcha Bypass Technique Uses Google’s Own Tools

A proof of concept bypass of Google’s reCaptcha V2 verification system, posted online Tuesday, uses Google’s own web-based tools to pull off the skirting of the system. IT security experts from AlienVault and Positive Technologies commented below. 

Chris Doman, Security Researcher at AlienVault:

Christopher Doman“This isn’t the first time that researchers have proposed methods for breaking Recaptcha CAPTCHAs. Some have used Google’s own OCR scanning software Tesseract to break them. Others have also tried Google’s own voice recognition system (http://www.debasish.in/2014/04/attacking-audio-recaptcha-using-googles.html). However Google uses other information, such as IP reputation, to reduce the success rate of these attacks to an acceptable rate.

The current favoured method of Spammers to solve Captcha’s is to pay third world workers tiny wages to solve them manually (http://www.deathbycaptcha.com/).”

Alex Mathews, Lead Security Evangelist at Positive Technologies:

Alex Mathews“Google ReCaptcha bypass by another intellectual instrument of the same company shows that AI developement in a real world of struggle is quite different from “pure academic” AI studies. Lately Google boasted a lot about its AI products; at the same time, the company publicized the discovery of vulnerabilities in many known antivirus systems. Now, it looks like one plus one gave two: Google AI was used against Google itself in the field of security.

“The whole idea to use speech recognition to fence off the bots is quite outdated, so we don’t recommend using it anyway: modern speech recognition software is good enough to bypass it (even without Google). There exist a lot of different methods that are much harder to bypass. But the main problem here is the same as simple passwords: mass services don’t want to push their customers to “more complex” security measures because it makes their services less accessible.”