
ReBreakCaptcha: Breaking Google’s ReCaptcha v2 Using Google - edwinksl
https://east-ee.com/2017/02/28/rebreakcaptcha-breaking-googles-recaptcha-v2-using-google/
======
maxmcd
From previous recaptcha discussion[1] it seems like the going rate for solving
recaptcha's is $2 for 1000 solved, or as low as $1/1000\. This method would
actually be more expensive than that at $6/1000[2]

1\.
[https://news.ycombinator.com/item?id=11453697](https://news.ycombinator.com/item?id=11453697)

2\.
[https://cloud.google.com/speech/pricing](https://cloud.google.com/speech/pricing)

~~~
hedora
Similar to my other comment, as a normal user, I'd happily pay 1/10th a cent
(as long as it went to the grey market, and not the website or google) to
bypass a recaptcha.

~~~
dsacco
That incentive only works if a website's primary captcha use case is spam
avoidance. Most websites that use captchas have a vested interest in
preventing you from being able to bypass them by tossing money around. Paying
to remove captchas is fundamentally unlike similar proposals (like paying to
remove advertisements) that are designed to make innocuous users' lives easier
because captchas aren't solely designed to prevent spam, nor are they designed
as a passive revenue stream.

For example, one common use of a captcha is, essentially, rate-limiting in a
non-spam prevention context. It's arguable that rate-limiting should be
implemented _differently_ , but captchas are actually fairly effective for
rate-limiting regardless. Websites that feature things like gift card numbers
typically put captchas on lookups and validations to prevent people from
simply brute-forcing them (especially if they do not use gift card pins). In
scenarios like that, you don't _want_ spammers to be able to bypass captchas,
but if they fundamentally can, at least it costs them money.

On the other hand, explicitly supporting captcha avoidance as a revenue
stream, however, presents malicious users with the same opportunity that
parents get if you offer to fine them for being late to pick up their children
from daycare. You've just implicitly given them a choice that was not really
allowed before, and they'll happily pay you directly instead of the shady API
they have to use to get rid of the captcha.

So to sum up - captchas aren't fun, but in principle you really don't want
there to be a consistent method for cheaply bypassing them (whether grey
market or officially supported) if the expected value of doing so is
significantly higher than the cost.

------
tyingq
Found something mildly interesting playing around with this. One of the
network requests when you ask for audio is this:
[https://www.google.com/js/bg/Kv2WsNzHE5GULL-
TmjqX5N4dnwt4D3c...](https://www.google.com/js/bg/Kv2WsNzHE5GULL-
TmjqX5N4dnwt4D3cPVKm_UbfMct4.js)

Which presents this, in a comment at the top of the returned js:

Anti-spam. Want to say hello? Contact (base64)
Ym90Z3VhcmQtY29udGFjdEBnb29nbGUuY29t

That decodes to: botguard-contact@google.com

~~~
dabber
Some background on the code:

[http://stackoverflow.com/questions/21762076/why-does-
gmail-u...](http://stackoverflow.com/questions/21762076/why-does-gmail-use-
eval)

------
spullara
When I was at Yahoo we had a HackDay where there was one team that used Flickr
data to make a captcha that asked for tags for an image it displayed. Another
team used Flickr data to look at images and automatically tag them...

------
hedora
Wow. I want this as a browser plugin. The image recaptchas are extremely time
consuming (maybe I click the wrong images, or they're just punishing me for
logging out and clearing cookies...), and I don't want to futz with the audio
ones.

~~~
problems
Yeah, it's really brutal. I find the new recaptchas which I hit almost every
time are much more exhausting than the old text-based ones, and probably much
easier for a machine to solve to boot.

~~~
zodPod
The worst are the questions like "Click the images with a store front" what
the hell is a store front? Especially in today's world.. Is a garage a store
front? Is a hot dog stand a store front? Same with like "Click the images with
cars" but there's a crossover. Is that a car? Is a station wagon a car?

~~~
Ajedi32
I've found it's best to just not think about it too much. CAPTCHAs are, after
all, designed to "tell Computers and Humans Apart". You're a human, so just
pick whatever seems reasonable and move on. If the system doesn't accept your
answer, that's _its_ fault, not yours.

------
cavanasm
Is this a PoC bug bounty type of deal, or "here's a neat tool that can beat
reCaptcha" type of deal? Seeing a bunch of comments about wanting a browser
plugin that exploits this, but I'm wondering if that would be legal or not
after reading (from HN several weeks ago) about the ticket scalpers who
automated TicketMaster's site and were charged with fraud. The case isn't
exactly analogous, but it's close enough to make me wonder.

[https://motherboard.vice.com/en_us/article/the-man-who-
broke...](https://motherboard.vice.com/en_us/article/the-man-who-broke-
ticketmaster)

~~~
tyingq
They did, indeed, get charged with wire fraud, and entered guilty pleas[1].

The EFF and others were pretty dismayed with this, and felt it should have
been a civil, and not criminal matter.

Since that time, Congress also passed a "Bots Law" that specifically spells
out gaming online tickets as _" treated as unfair or deceptive acts or
practices under the Federal Trade Commission Act."_ [2] I suspect this opens a
door for larger fines as well.

[1] [https://www.wired.com/2010/11/wiseguys-plead-
guilty/](https://www.wired.com/2010/11/wiseguys-plead-guilty/)

[2] [https://www.congress.gov/bill/114th-congress/senate-
bill/318...](https://www.congress.gov/bill/114th-congress/senate-bill/3183)

------
amenghra
Maybe they should have dubbed this ReNotBreakCaptcha?

    
    
        > I’ve testing in 3 examples, and none had the correct answer: first one only detected 3 out of 6 numbers, the seconds had 10 digits, one of them wrong, and the third couldn’t recognise.
        > Also, it seams that google implement a max number of retries for audio challenge."

------
hippich
Captcha-replacement - [https://hashcash.io/](https://hashcash.io/)

~~~
foobiekr
this is not a captcha replacement at all. the constraint on proof of work
functions is that they are compatible with mobile users which puts an upper
bound on the approach.

custom work (even in the presence of scrambled approaches) and servers instead
of mobiles both make this approach problematic.

------
appsec1485
It was already prooved in 2012:
[https://arstechnica.com/security/2012/05/google-recaptcha-
br...](https://arstechnica.com/security/2012/05/google-recaptcha-brought-to-
its-knees/)

But, it is not exploitable - when Google identified high volvume attacks, the
voice captcha is changed into a more complex voice which cannot be identified
via this tool.

A Proof of Concept was already created by AppSec Labs, in Sep 2016:
[https://www.youtube.com/watch?v=4yec-
vxN0BY](https://www.youtube.com/watch?v=4yec-vxN0BY)

------
chatmasta
What success rate have you seen? Google intentionally fuzzes parts of the
audio and tries to induce false positives.

Also, does google offer an audio captcha every single time? Even for very high
risk profiles?

~~~
lmkg

      > Also, does google offer an audio captcha every single 
      > time? Even for very high risk profiles?
    

It might be a legal requirement from the ADA.

------
captchaz
You can automatically bypass ReCaptcha v2 using a captcha solving service with
[https://www.captchasolutions.com](https://www.captchasolutions.com)

