ReBreakCaptcha: Breaking Google’s ReCaptcha v2 Using Google

From previous recaptcha discussion[1] it seems like the going rate for solving recaptcha&#x27;s is $2 for 1000 solved, or as low as $1&#x2F;1000. This method would actually be more expensive than that at $6&#x2F;1000[2]<p>1. <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11453697" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=11453697</a><p>2. <a href="https:&#x2F;&#x2F;cloud.google.com&#x2F;speech&#x2F;pricing" rel="nofollow">https:&#x2F;&#x2F;cloud.google.com&#x2F;speech&#x2F;pricing</a>

Found something mildly interesting playing around with this. One of the network requests when you ask for audio is this: <a href="https:&#x2F;&#x2F;www.google.com&#x2F;js&#x2F;bg&#x2F;Kv2WsNzHE5GULL-TmjqX5N4dnwt4D3cPVKm_UbfMct4.js" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;js&#x2F;bg&#x2F;Kv2WsNzHE5GULL-TmjqX5N4dnwt4D3c...</a><p>Which presents this, in a comment at the top of the returned js:<p>Anti-spam. Want to say hello? Contact (base64) Ym90Z3VhcmQtY29udGFjdEBnb29nbGUuY29t<p>That decodes to: botguard-contact@google.com

When I was at Yahoo we had a HackDay where there was one team that used Flickr data to make a captcha that asked for tags for an image it displayed. Another team used Flickr data to look at images and automatically tag them...

Wow. I want this as a browser plugin. The image recaptchas are extremely time consuming (maybe I click the wrong images, or they&#x27;re just punishing me for logging out and clearing cookies...), and I don&#x27;t want to futz with the audio ones.

Is this a PoC bug bounty type of deal, or &quot;here&#x27;s a neat tool that can beat reCaptcha&quot; type of deal? Seeing a bunch of comments about wanting a browser plugin that exploits this, but I&#x27;m wondering if that would be legal or not after reading (from HN several weeks ago) about the ticket scalpers who automated TicketMaster&#x27;s site and were charged with fraud. The case isn&#x27;t exactly analogous, but it&#x27;s close enough to make me wonder.<p><a href="https:&#x2F;&#x2F;motherboard.vice.com&#x2F;en_us&#x2F;article&#x2F;the-man-who-broke-ticketmaster" rel="nofollow">https:&#x2F;&#x2F;motherboard.vice.com&#x2F;en_us&#x2F;article&#x2F;the-man-who-broke...</a>

Maybe they should have dubbed this ReNotBreakCaptcha?<p><pre><code> &gt; I’ve testing in 3 examples, and none had the correct answer: first one only detected 3 out of 6 numbers, the seconds had 10 digits, one of them wrong, and the third couldn’t recognise. &gt; Also, it seams that google implement a max number of retries for audio challenge.&quot;</code></pre>

Captcha-replacement - <a href="https:&#x2F;&#x2F;hashcash.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;hashcash.io&#x2F;</a>

It was already prooved in 2012: <a href="https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2012&#x2F;05&#x2F;google-recaptcha-brought-to-its-knees&#x2F;" rel="nofollow">https:&#x2F;&#x2F;arstechnica.com&#x2F;security&#x2F;2012&#x2F;05&#x2F;google-recaptcha-br...</a><p>But, it is not exploitable - when Google identified high volvume attacks, the voice captcha is changed into a more complex voice which cannot be identified via this tool.<p>A Proof of Concept was already created by AppSec Labs, in Sep 2016: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=4yec-vxN0BY" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=4yec-vxN0BY</a>

What success rate have you seen? Google intentionally fuzzes parts of the audio and tries to induce false positives.<p>Also, does google offer an audio captcha every single time? Even for very high risk profiles?

You can automatically bypass ReCaptcha v2 using a captcha solving service with <a href="https:&#x2F;&#x2F;www.captchasolutions.com" rel="nofollow">https:&#x2F;&#x2F;www.captchasolutions.com</a>