Evaluation of an attack approach on V3 Captcha

Mohit Mohit Saksham Chawala Sumit Mokashi Department of Computer Science Department of Computer Science Department of Computer Science University of Texas at Arlington University of Texas at Arlington University of Texas at Arlington Arlington,Texas Arlington,Texas Arlington,Texas

Abstract— are used as the first line of defense to spaced intervals at a variable pitch or speed, often with an defend against automated account creation and service abuse. accent and distortion/noise. To solve the , a user must Google’s reCaptcha is currently used by millions of for correctly identify the digits or words spoken in the audio protection against automated attackers(testing whether a user is truly human). In this project we present an approach where clip. Attacks have been demonstrated on these audio captchas we try to compromise the Google V3 Captcha module using with varying degrees of success in the past. This is usually techniques involving machine learning. We create a click-bot done by training local machine-learning models to identify that generates and emulates human cursor movements on the spoken words, a high-resource and time-consuming screen, in an attempt to fool the captcha module. Using our bot approach. Additionally, although researchers have explored we create a dataset that we then use to train our model. In our approach we try to use Binary classification, and we conclude using online speech recognition services, including Sphinx our project by providing details of a more comprehensive or Google Speech Recognition, these services have not been approach that involves Reinforcement Learning. accurate enough to compete with offline services or solve the captcha reliably. I.INTRODUCTION CAPTCHAs (the Completely Automated Public Turing II.BACKGROUND tests to tell Computers and Humans Apart) are systems The reCaptcha system relies on an advanced risk analysis designed to protect against automated account creation and engine. As the user interacts with reCaptcha (clicking buttons service abuse by presenting users with a challenge that and typing), the system determines a level of suspicion for is easy for humans to solve but difficult for computers. that user. Today, many users will find that they simply need to Captchas are used extensively online as a defense against click the checkbox and be verified without needing to solve automated bots and Sybil attacks, as well as preventing a captcha. This occurs when the reCaptcha is fairly confident spam. For instance, many online registration platforms, from that the user is human and not an automated attacker (this is social media services to to ticketing systems, require called the “noCaptcha reCaptcha”). If the system is unsure the user to solve a captcha during registration to prevent if the user is a human (but is not highly suspicious either), it automated creation of fake accounts. In a similar vein, some will deliver a moderate challenge to the user (an easy image online services have recently begun requiring clients to problem or a short audio string of numbers to transcribe). solve captchas before delivering web content. The security of This often occurs when a user does not yet have a long captchas is paramount to protecting services on the Internet enough history of interaction with Google. However, as from these attacks. As for the remainder of the paper, the reCaptcha system becomes increasingly suspicious, it we follow industry convention and write the acronym in delivers harder challenges: 10 digits in the audio challenge, lowercase, as “captcha”, for readability. Spread of news or prompting the user to solve multiple challenges. By and information is increasingly driven by user content on default, a user with no past history with Google services sites like , YouTube, and Reddit, bots that could will be automatically given the most difficult challenge. It defeat the captcha system and register a disproportionate is these most difficult challenges that unCaptcha attempts to number of accounts could theoretically control the flow of solve. Although the new reCaptcha system was introduced information. It is therefore unsurprising that captchas have in 2014 to replace the traditional “distorted text” captcha, been the target of attack for researchers and attackers for not much is known about its inner workings. Google has years. Until recently, captchas have featured distorted text protected the inner design of reCaptcha heavily, releasing few that users must correctly type to pass. Bursztein et al. showed details about how their software works. The captcha system these text-based captchas to be insecure by demonstrating is run from an encrypted, isolated VM (Virtual Machine) a system with near-complete (98%) accuracy. As a result, in JavaScript with a unique bytecode language. To make text-based captchas have been largely phased out in favor reverse engineering even more difficult, the bytecode has of image captchas. However, visually impaired users are direct access to JavaScript variables of its own interpreter, incapable of solving these visual captchas, prompting the and changes its own decryption key and even its own opcodes creation of audio captchas. Typical audio captchas consist numbers at many points during its own execution. A full of different speakers saying words or digits at randomly working disassembler and decompiler for the system was released, and it was determined that the captcha system, in audio captchas. Further independent studies deployed a addition to confirming the actual captcha solving, checked two-phase segment-then-classify approach and successfully for the presence of: valid plugins; a valid user-agent string; a broke older versions of Google and Yahoo audio captchas. valid screen resolution; execution time; computer timezone; These two-phase solvers usually operate by first extracting number of click, keyboard, or touch actions in the iframe portions of the captcha that contain the digit, and then of the captcha; many browser-specific functions and CSS running pre-trained machine learning algorithms to classify rules; canvas rendering properties; server side cookies; and those individual digits, rather than classifying them all at likely more. In 2016, a further analysis by Sivakorn et al. once. of the reCaptcha system explored the weaknesses of the The aim of this project is to study and evaluate the initial implementation of the image captcha. It is important Google V3 captcha systems that are in use today. With this to note that the image captcha has changed since that paper, study we propose an attack scenario that utilizes automated and their methodology is no longer sufficient to defeat scripts to compromise the system. Our work relies on a the captcha. However, their analysis of the captcha’s risk previous case study conducted by Ismail Akrout, Amal analysis system lends insight into its inner workings. In Feriani, Mohamed Akrout in their paper Hacking Google particular, Silvakorn et al. found that Google’s tracking reCAPTCHA v3 using Reinforcement Learning[1]. This cookies play an integral role in the captcha’s defenses. The paper presents a Reinforcement Learning (RL) methodology captcha system is made aware of every time a user interacts to bypass Google reCAPTCHA v3 where the agent learns with a Google service (or a page with Google’s tracking how to move the mouse and click on the reCAPTCHA button cookies, such as ). After just 9 days of to receive a high score. Authors also used a divide and automated browsing across different Google services, their conquer strategy to defeat the reCAPTCHA system for any bots’ tracking cookie was sufficient to fool the risk analysis grid resolution. Their proposed method achieves a success system into thinking they were human, and checking off rate of 97.4 the box. However, their experiments revealed each cookie In our research we also relied upon another case study could only immediately complete 8 captchas per day before conducted by Suphannee Sivakorn, Iasonas Polakis and needing to solve additional challenges. Their results also Angelos D. Keromytis in their paper I am Robot: (Deep) showed that the reCaptcha system attempts to fingerprint the Learning to Break Semantic Image CAPTCHAs(12th May browser, using canvas rendering techniques, comparing the 2016). In this paper, the authors conduct a comprehensive user-agent to what the browser reports, and potentially more. study of reCaptcha, and explore how the risk analysis Despite these impressive efforts of the risk analysis engine process is influenced by each aspect of the request. to identify a bot before the captcha, reCaptcha still remains Through extensive experimentation, they identify flaws that susceptible to low-resource attacks to its audio challenge. allow adversaries to effortlessly influence the risk analysis, Over the last decade, reCAPTCHA has continuously bypass restrictions, and deploy large-scale attacks. They evolved its technology. In reCAPTCHA v1, every user was design a novel low-cost attack that leverages deep learning asked to pass a challenge by reading distorted text and typing technologies for the semantic annotation of images. Their into a box. To improve both user experience and security, system is extremely effective, automatically solving 70.78 they introduced reCAPTCHA v2 and began to use many Another study focuses on presenting a tool called other signals to determine whether a request came from a unCaptcha, an automated system that can solve reCaptcha’s human or bot. This enabled reCAPTCHA challenges to move most difficult auditory challenges with high success rate. from a dominant to a secondary role in detecting abuse, We evaluate unCaptcha using over 450 reCaptcha challenges letting about half of users pass with a single click. Today with from live websites, and show that it can solve them with reCAPTCHA v3, sites can test for human vs. bot activities by 85.15 returning a score to tell you how suspicious an interaction is and eliminating the need to interrupt users with challenges at all. ReCAPTCHA v3 runs adaptive risk analysis in the background to alert you of suspicious traffic while letting your human users enjoy a frictionless experience on your site.

III.RELATED WORK Captchas have long been the target of automated attacks. Due to the breadth of literature, we will focus only on attacking the V3 module. Almost a decade ago, Kochanski et al. investigated the security of audio captchas and developed a synthetic benchmark for evaluating automatic solvers. This work concluded that humans vastly outperform automated speech recognition systems (when audio noise/distortion is Fig. 1: Workflow of captcha system flow as per the model integrated added to spoken digits), and has guided the design of modern with Google Captcha system. IV. SYSTEM MODEL means is not compromised. However, a large delay We consider a system inspired by google suggestion as in between event/activity timestamp and verification will be the figure 1. These systems are controlled by the JavaScript automatically rejected. So, the token is sent immediately after API and the flow of captcha verification is as shown in the the event happens. Also, the attacker has basic knowledge figure 1. Besides the JavaScript the Captcha system has an of how captcha system works (have read the Google’s action defined and two keys provided by the Google server documentation) [5] . And the attacker does not have access while registering website: Site key and Secret key. The site to the score returned by Google. key is used for the communication between the client and the website server. And the Secret key is used for communication between the website’s server and google captcha verification server. The captcha system returns a score between 0 and 1 as the feedback for legitimacy of user. In our system, for the sake of simplicity, we defined the action as the “submit” button using the “POST” [4] method of JavaScript API as shown in figure 2. When the mouse curser is moved from point A to point B, we consider it as an activity. To keep the results unbiased, we end some activity by clicking the submit button and some by clicking at different locations as a normal user behave. Other activities can also be defined as reloading the page or just clicking at some random location without moving mouse much. We kept the score threshold at 0.5 to Fig. 3: Workflow of captcha system flow as per the model integrated with Google Captcha system. provide a balance between security level and interruption for user as suggested by google. Although it can be altered as per the requirements. As the user loads the website JavaScript API is also The goal of captcha system is to verify the legitimacy of loaded with the page using the site key as shown in figure user if the user is real and take some action as defined by 3. When the user starts moving mouse, the API starts the developer if a bot does the activity. Hence the verification fingerprinting the browser and records user behavior. After of event is triggered by the mouse activity. Data collected by the user triggers the action the “grecaptcha.execute” function user activity gets transmitted to website server and further to comes in play. As a result, a token is generated. The token is Google server for further verification. This data is used for then sent to the backend of the website server. The website’s event specific fingerprinting of user activity. Verification is server then further sends the token to the Google’s captcha done based on aggregate activity in continuous move not on server for further verification. Google analyzes the token by each location change. We assume the user does not changes considering certain fingerprinting variables included in the to the bot or vice versa in middle of activity. token. And as a result, google returns a score for the activity. But the user/attacker does not have access to the score. So, If the user can do all actions available on website, then it has been categorized as a real user otherwise a bot. Our system considers two type of attackers. One who records the real user activity and then insert some additional actions in between for malicious activity. Other one who designs the activity from base. For the first type of adversary a na¨ıve attacker can also attack using the already available tools on internet. In the second type the attacker needs to know how the mouse activity are recorded. The attacker may or may not have access to tools available on internet to record mouse activity.

Fig. 2: View of our website integrated with ReCaptcha V3. VI.EXPERIMENTAL DESIGN To evaluate the feasibility of our proposed system, we conduct multiple experiments in which we collected a total of 500 activity files including more than one million locations of V. THREAT MODEL mouse in ten different user environments(Desktop/PC/OS). We Consider the attacker can navigate through the website. The activity was recorded during the normal operations of This allow them to define actions in their bot to compromise user as performed on daily basis. the system. The attacker is however not able to modify Overview: During the study we collected data for a diverse the actions defined by the developer on detection, that range of events and activities. In a user environment we collected data over ten different machines to diversify the [9] https://stackoverflow.com/questions/7790725/javascript-track-mouse-po data to reduce the bias. Over a duration of two weeks we sition [10] https://www.prohavit.com/blog/8-free-macro-recorder-automate-tradi collected over one million points and five hundred activity tional-mouse-keyboard/ files. [11] https://webmasters.googleblog.com/2018/10/introducing-recaptcha-v3 -new-way-to.html Data Collection: The ground truth for the events is collected as follows. Using the tools available on google like ReMouseStandard software[7], Macro Recorder [8], Enabling script over browser [9] and others [10]. The variation for sample included the activities at different capture rate, varying the time interval to capture mouse location, mouse moving rate, random clicks, scrolling and others to remove the synthetic data. Events are triggered by clicking the action button. An activity is defined as the cursor movement between the page load and click or between two consecutive clicks. The capture rate varies between 1 millisecond to 10 seconds interval. And the outlier entries were removed from data to reduce the false positives. For example, suddenly moving mouse from one corner to other corner when the mouse capture interval is higher than 500 milliseconds. The data captured had all types of data ranging from slow mouse move, fast mouse holding, just scrolling, continuous clicking, clicking after scrolling, whole screen movements, small movements as a normal user would do in daily activities. The data was collected over different screen size, different screen resolution to remove the dependency on screen location. Ethical concerns: The project has been performed on personal PCs of known people with their permissions. The activities are performed on personal websites, to avoid unwanted event triggers. The recorded data did not include any personal data.

VII.CONCLUSIONS We tried a classification technique called “Binary classification” using a KNN mining technique. Through our experiments we concluded that building a traditional classifier is not suitable for such an attack on V3 The data collected shows us how google uses behavior based analysis for calculating risk and returns a score for the same We also inferred that the data can be used to train a bot that uses Reinforcement learning for training.

REFERENCES

[1] Ismail Akrout, Amal Feriani, Mohamed Akrout. Hacking Google reCAPTCHA v3 using Reinforcement Learning networks with existing applications. https://arxiv.org/abs/1903.01003. [2] Kevin Bock,Daven Patel,George Hughey,Dave Levin. unCaptcha: A Low-Resource Defeat of reCaptcha’s Audio Challenge. https://uncaptcha.cs.umd.edu/papers /uncaptchawoot17.pdf. [3] S. Sivakorn, I. Polakis and A. D. Keromytis. I am Robot: (Deep) Learning to Break Semantic Image CAPTCHAs. 2016 IEEE European Symposium on Security and Privacy (EuroSP), Saarbrucken, 2016, pp. 388-403, doi: 10.1109/EuroSP.2016.37. [4] Google Developer Portal. https://developers.google.com/recaptcha/docs/ verify. [5] Google Developer Portal. https://developers.google.com/recaptcha/intro [6] ://pixelprivacy.com/resources/browser- fingerprinting/ [7] https://www.remouse.com/ [8] https://www.macrorecorder.com/