A researcher has discovered what he calls a “logic vulnerability” that allowed him to create a Python script that is fully capable of bypassing Google’s reCAPTCHA fields using another Google service, the Speech Recognition API.
The researcher, who goes online only by the name of East-EE, released proof-of-concept code on GitHub.
ReBreakCaptcha vulnerability still unpatched
East-EE has named this attack ReBreakCaptcha, and he says he discovered this vulnerability in 2016. Today, when he went public with his research, he said the vulnerability was still unpatched.
The researcher was not clear if he reported the bug to Google. Bleeping Computer has reached out to the researcher to inquire if Google was, at least, aware of the issue.
The proof-of-concept code the researcher released allows attackers to automate the process of bypassing reCAPTCHA fields, currently used on millions of sites to keep out spam bots.
ReBreakCaptcha works only on audio challenges in reCAPTCHA v2
East-EE says his attack only works against Google reCAPTCHA v2, the current version of the reCAPTCHA service.