Earlier this year Google boasted its security AI has it no longer requires you to tick a box in its reCAPTCHA system to know you’re not a bot. But it appears the company might have celebrated a bit prematurely.A group of researchers from the University of Maryland a new algorithm, called unCAPTCHA, that is capable of defeating the reCAPTCHA system with a mind-boggling success rate of 85 percent.

1. Test Google Bot

The method exploits a vulnerability in the audio version of reCAPTCHA to accomplish such high consistency. The solution involves using browser automation software to parse out the necessary elements and identify spoken numbers. The next step is to pass these numbers programmatically with the view to fooling target sites into thinking their bot is a human.“Specifically, unCAPTCHA targets the popular site Reddit by going through the motions of creating a new user, although unCAPTCHA stops before creating the user to mitigate the impact on Reddit,” the researchers explain.To make this happen, the AI abuses several known flaws in Google’s security system to lower reCAPTCHA’s “suspicion level significantly.”The most impressive part is that the researchers used a series of audio transcription services to defeat the system. Curiously, these services involved IBM, Google Cloud and Speech Recognition, Sphinx, Wit-AI, and Bing Speech Recognition.

So in a way, the researchers turned Google’s own tech against itself.Following disclosing this flaw to the Big G back in April, the researchers point out the company has since added some additional protections that limit unCAPTCHA’s success rate.“For instance, Google has also improved their browser automation detection,” the documentation reads. “This may lead to Google sending odd audio segments back to the end user.

Additionally, we have observed that some audio challenges include not only digits, but small snippets of spoken text.”The researchers have since released the full proof of concept in a paper you can see in more detail here. They have also from a proof-of-concept presentation they gave at the Usenix WOOT ’17 conference in Vancouver.Read next.

Unofficial Google Search Bot for TelegramTelegram bot (support both inline/chat) that return search results (web/image)from Google How to useYou are strongly advised to host your own as Google has imposed a 100 searchesper day limits on their API unless you start paying. As an idependent dev,it's not something I could afford. Currently you could test the bot at, but it's only intended forevaluation purpose due to the limited quota available. Sorry, but it has to belike this Run instruction git clone google-search-telegram-botpip install -e.PYTHONPATH=src python3 src/app/init.pyYou might want to do this in a venv envAfter setting up these you'll have to fill in your API keys in config.json Hosting on pythonanywhereOne easy option to host the bot freely is on PAW. In your web console you shouldset the source directory to src and modify the WSGI config file based on thesample given in this repo (misc/pythonanywherecomwsgi.py) config.jsonThis file holds constants like API keys that should be kept outside of the repo.config.json should be a text file of valid serialized JSON. The following fieldsmust be present:.

telegrambottoken. Your telegram bot token. You need to obtain it via @BotFather following theinstructions outlined at.

googleapikey. Your Google API key used to authenticate the Custom Search API. You need toobtain it using the setup tool here:. searchengineid.

Your Search Engine ID. Create a new engine at.When creating a new engine, input a random site in 'Sites to search'. Aftercreation, click modify, then change 'Search only included sites' to 'Searchthe entire web' and remove the random site you just added. allowonlyusers. You could limit who could use the bot hosted by you.

You can eitherwhitelist a user by id or username. Example: 999999,'fancyuser' would allowthe 2 users to use your hosted bot.

An empty list would allow all. pawapp.

Test Google Bot

Useful only when you are hosting on PAW (Seefor more details). url. The URL of your web app. webhooksecret. Any string, must be valid URL characterDependency. Python 3 (developed and tested on 3.5).

Telepot.