A researcher has discovered what he calls a "logic vulnerability" that allowed him to create a Python script that is fully capable of bypassing Google's reCAPTCHA fields using another Google service, the Speech Recognition API.

The researcher, who goes online only by the name of East-EE, released proof-of-concept code on GitHub.

ReBreakCaptcha vulnerability still unpatched

East-EE has named this attack ReBreakCaptcha, and he says he discovered this vulnerability in 2016. Today, when he went public with his research, he said the vulnerability was still unpatched.

The researcher was not clear if he reported the bug to Google. Bleeping Computer has reached out to the researcher to inquire if Google was, at least, aware of the issue.

The proof-of-concept code the researcher released allows attackers to automate the process of bypassing reCAPTCHA fields, currently used on millions of sites to keep out spam bots.

ReBreakCaptcha works only on audio challenges in reCAPTCHA v2

East-EE says his attack only works against Google reCAPTCHA v2, the current version of the reCAPTCHA service.

More exactly, the attack uses audio challenges, a secondary checking system available only when pushing a button at the bottom of the normal reCAPTCHA popup.

reCAPTCHA audio challenge option

In case people are using older browsers with no audio playback support, Google allows users to download the audio challenge.

reCAPTCHA audio challenge download option

The researcher says that he was able to take this audio file and feed it back into one of Google's own service, the Speech Recognition API.

The API returned back a written version of the audio challenge, which the researcher took and fed back into the reCAPTCHA field.

Attack can be automated

Because all of these steps can be automated, it is safe to expect that attackers will use East-EE's ReBreakCaptcha proof-of-concept code to create browser extensions or web-based services that provide reCAPTCHA-bypassing services.

This is not the first time a researcher managed to bypass Google's reCAPTCHA system. Back in April 2016, a trio of researchers found a way to bypass both Google and Facebook's CAPTCHA solutions, with a 70.78% success rate for Google, and 83.5% for Facebook.

As reported in December 2016, Google is working on reCAPTCHA v3, which needs minimal user interaction and is currently referred to as Invisible reCAPTCHA.