Update: This does not work anymore Google changed their voice captcha (more on this later)
Warning: Major Ironic discussion ahead.
What is Captcha?
OK, let’s start from the beginning. Most of you probably know what captcha is but many of you may not know the reason captcha is used. So let’s start with a little about classical captcha, you might have seen (and surely) been annoyed by this over your years on the internet
Until recently, when google released its AI and Machine Learning powered ReCaptcha V2. You probably have seen it a lot recently. It looks like this
Ok, So how does the new captcha work? Let’s first talk about why captcha is used. Captcha is used to prevent overloading of database or emails etc. Suppose you are signing up to a website. It’s a pretty simple form and it is easy to write a bot that keeps on making accounts by filling random data in the fields hence flooding the database. This is where captcha comes in. It basically makes sure the person filling the form is a human and not a bot. Hence the text, I’m not a robot.
Ok so in the early times you had to write some text, as written in the image to verify your humanity 😀 but how does Google’s new reCAPTCHA V2 work, which most of the time does not require you to write up any text or anything. Google recaptcha v2 is an AI powered system which considers many factors such as your mouse movement as you click, your session on the website etc. Basically, most of the time it clears you out, BUT when it’s doubtful, it serves you with stuff like this
Interesting… so Google actually made the captcha less annoying and more powerful. A few days back Google released even a better version. Check out Google’s Invisible RECaptcha.
So What Exactly is the News?
Ok enough of all that. What really was achieved. Basically as you can see in the image above. There is a headphone button below which actually just gives a sound captcha speaking some numbers which need to be entered in the captcha. So what this person achieved is actually a MAJOR irony. What he did was merely use Google’s own voice recognition API to recognize the numbers and actually enable a bot to recognize the captcha. So he actually used one Google service to break into another one of Google’s service. It was all really comic and very insecure. It basically involved the following steps:
- Click on the headphone button
- Download the sound clip
- Send sound clip to Google Voice recognition API
- The API returns a string just put the string in the captcha textbox
AND congrats you just fooled the Google recaptcha. IRONIC RIGHT? Infact, the person actually released a POC code for everyone to see and use.
Update: Google Fixed it
So, It was awesome while it lasted but Google actually changed its voice sample adding background noise and modifying sound making it harder for a voice recognition engine to recognize it anymore. So, this no longer works.