unCAPTCHA

unCAPTCHA is the name of a new automated system designed by a team of four computer science experts from the University of Maryland (UM) that can break Google's reCAPTCHA challenges with an accuracy of 85%.

The system doesn't target reCAPTCHA's image-based challenges, but the audio version that Google added so people with disabilities can solve its puzzle.

unCAPTCHA works by downloading this audio puzzle and feeding it to six text-to-speech (TTS) systems, aggregating the results, and feeding most probable answer back to Google's servers.

reCAPTCHA audio

Tests carried out by researchers show that unCAPTCHA can break 450 reCAPTCHA challenges with an 85.15% accuracy in 5.42 seconds, which is less time than a human needs to listen to one reCAPTCHA audio challenge.

unCAPTCHA available on GitHub

UM researchers published the code for unCAPTCHA on GitHub. Their code uses the TTS systems such as Bing Speech Recognition, IBM, Google Cloud, Google Speech Recognition, Sphinx, and Wit-AI.

unCAPTCHA is not the first system of its kind. In March, a researcher published ReBreakCaptcha, almost identical to unCAPTCHA. The difference is that UM researchers notified Google of their work in advance, and the company worked to improve reCAPTCHA.

"Since that time, reCaptcha appears to include some additional protections that limit unCaptcha's success," researchers say.

"For instance, Google has also improved their browser automation detection," the team added. "This means that Selenium cannot be used in its current state to get captchas from Google. This may lead to Google sending odd audio segments back to the end user. Additionally, we have observed that some audio challenges include not only digits, but small snippets of spoken text."

AI bot also broke reCAPTCHA last week

Also last week, researchers announced they created an AI bot that works similarly to the human eye and can also break various CAPTCHA systems with high accuracy. More specifically, this new system solved Google reCAPTCHAs with 66.6% accuracy, BotDetect with 64.4%, Yahoo with 57.4%, and PayPal image challenges with 57.1%.

Bleeping Computer readers can read more about this new reCAPTCHA breaker in a research paper entitled "unCaptcha: A Low-resource Defeat of reCaptcha's Audio Challenge," available for download here and here. The research paper was also part of the Usenix Workshop on Offensive Technologies (WOOT) 2017 that took place this August.