From previous recaptcha discussion[1] it seems like the going rate for solving recaptcha's is $2 for 1000 solved, or as low as $1/1000. This method would actually be more expensive than that at $6/1000[2]<p>1. <a href="https://news.ycombinator.com/item?id=11453697" rel="nofollow">https://news.ycombinator.com/item?id=11453697</a><p>2. <a href="https://cloud.google.com/speech/pricing" rel="nofollow">https://cloud.google.com/speech/pricing</a>
Found something mildly interesting playing around with this. One of the network requests when you ask for audio is this: <a href="https://www.google.com/js/bg/Kv2WsNzHE5GULL-TmjqX5N4dnwt4D3cPVKm_UbfMct4.js" rel="nofollow">https://www.google.com/js/bg/Kv2WsNzHE5GULL-TmjqX5N4dnwt4D3c...</a><p>Which presents this, in a comment at the top of the returned js:<p>Anti-spam. Want to say hello? Contact (base64) Ym90Z3VhcmQtY29udGFjdEBnb29nbGUuY29t<p>That decodes to: botguard-contact@google.com
When I was at Yahoo we had a HackDay where there was one team that used Flickr data to make a captcha that asked for tags for an image it displayed. Another team used Flickr data to look at images and automatically tag them...
Wow. I want this as a browser plugin. The image recaptchas are extremely time consuming (maybe I click the wrong images, or they're just punishing me for logging out and clearing cookies...), and I don't want to futz with the audio ones.
Is this a PoC bug bounty type of deal, or "here's a neat tool that can beat reCaptcha" type of deal? Seeing a bunch of comments about wanting a browser plugin that exploits this, but I'm wondering if that would be legal or not after reading (from HN several weeks ago) about the ticket scalpers who automated TicketMaster's site and were charged with fraud. The case isn't exactly analogous, but it's close enough to make me wonder.<p><a href="https://motherboard.vice.com/en_us/article/the-man-who-broke-ticketmaster" rel="nofollow">https://motherboard.vice.com/en_us/article/the-man-who-broke...</a>
Maybe they should have dubbed this ReNotBreakCaptcha?<p><pre><code> > I’ve testing in 3 examples, and none had the correct answer: first one only detected 3 out of 6 numbers, the seconds had 10 digits, one of them wrong, and the third couldn’t recognise.
> Also, it seams that google implement a max number of retries for audio challenge."</code></pre>
It was already prooved in 2012:
<a href="https://arstechnica.com/security/2012/05/google-recaptcha-brought-to-its-knees/" rel="nofollow">https://arstechnica.com/security/2012/05/google-recaptcha-br...</a><p>But, it is not exploitable - when Google identified high volvume attacks, the voice captcha is changed into a more complex voice which cannot be identified via this tool.<p>A Proof of Concept was already created by AppSec Labs, in Sep 2016:
<a href="https://www.youtube.com/watch?v=4yec-vxN0BY" rel="nofollow">https://www.youtube.com/watch?v=4yec-vxN0BY</a>
What success rate have you seen? Google intentionally fuzzes parts of the audio and tries to induce false positives.<p>Also, does google offer an audio captcha every single time? Even for very high risk profiles?
You can automatically bypass ReCaptcha v2 using a captcha solving service with <a href="https://www.captchasolutions.com" rel="nofollow">https://www.captchasolutions.com</a>