Security Week 02: hack reCAPTCHA v3 through voice recognition

2 min


The first working day after the New Year holidays is the very moment when it is difficult to prove to the computer that you are not a robot. It’s easier for a machine to pretend to be a human, and one of the latest publications is devoted to just this. Researcher Nikolai Tschacher won another victory in the captcha hacking discipline: he showedhow you can bypass the latest version of reCAPTCHA v3 using the Text-to-Speech service, developed, like the captcha itself, by Google.

It was not the main captcha with images that was hacked, but an alternative method of verification using a voice message. A code is sent in the audio message, which must be entered in the appropriate field. Nikolay improved the method developed by earlier against the previous version of reCAPTCHA v2: the script intercepts an audio file with a voice message and sends it to the Text-to-Speech service. The code is recognized properly in over 90% of cases. The researcher confirmed that the method also works against reCAPTCHA v3: apparently, the alternative authorization method migrated straight from the previous version, although the captcha upgrade to the third version also broke the Proof-of-Concept published two years ago. In his repository on Github, Nikolai posted an updated version

Video demonstrating the operation of the updated script (fully automated up to mouse movements):

What else happened

At the beginning of January updated Firefox and Chrome browsers. In both cases, serious vulnerabilities were closed that could allow arbitrary code to execute and gain control over the system. In the case of Firefox, both the PC version and the mobile release are affected. In Chrome, the vulnerability is only relevant to computers.

Closed vulnerabilities in NVIDIA drivers. In addition to the traditional privilege elevation hole, the patches address several issues in the vGPU driver for virtualizing GPU resources. The exploitation of these bugs, although it does not allow taking control of the host machine, allows information disclosure and denial of service.

January patch set for Android closes 43 vulnerabilities, including one in the Android System component, allegedly related to the operation of the Bluetooth module.

Researcher Ahmed Hassan found vulnerability in the Telegram messenger function “People are Near”. The operation of the problem is similar to the methods for other programs using geolocation: by substituting your own coordinates, you can conduct a virtual triangulation and get the exact location of another user instead of an approximate one.

Representatives of the Nissan company announced a serious leak corporate data: it happened because of the Git server with the username and password admin: admin.

A very interesting study about hacking (short version on Habré) Google Titan hardware key used for two-factor authentication. A side-channel attack method was used to decrypt the data.

In the latest firmware for some ZyXel network devices discovered hardcoded password.


0 Comments

Leave a Reply