Leaderboard

Google Speech-to-Text API Can Help Attackers Easily Bypass Google reCAPTCHA January 05, 2021 Ravie Lakshmanan A three-year-old attack technique to bypass Google's audio reCAPTCHA by using its own Speech-to-Text API has been found to still work with 97% accuracy. Researcher Nikolai Tschacher disclosed his findings in a proof-of-concept (PoC) of the attack on January 2. "The idea of the attack is very simple: You grab the MP3 file of the audio reCAPTCHA and you submit it to Google's own speech-to-text API," Tschacher said in a write-up. "Google will return the correct answer in over 97% of all cases." Introduced in 2014, CAPTCHAs (or Completely Automated Public Turing test to tell Computers and Humans Apart) is a type of challenge-response test designed to protect against automated account creation and service abuse by presenting users with a question that is easy for humans to solve but difficult for computers. reCAPTCHA is a popular version of the CAPTCHA technology that was acquired by Google in 2009. The search giant released the third iteration of reCAPTCHA in October 2018. It completely eliminates the need to disrupt users with challenges in favor of a score (0 to 1) that's returned based on a visitor's behavior on the website — all without user interaction. The whole attack hinges on research dubbed "unCaptcha," published by University of Maryland researchers in April 2017 targeting the audio version of reCAPTCHA. Offered for accessibility reasons, it poses an audio challenge, allowing people with vision loss to play or download the audio sample and solve the question. To carry out the attack, the audio payload is programmatically identified on the page using tools like Selenium, then downloaded and fed into an online audio transcription service such as Google Speech-to-Text API, the results of which are ultimately used to defeat the audio CAPTCHA. Following the attack's disclosure, Google updated reCAPTCHA in June 2018 with improved bot detection and support for spoken phrases rather than digits, but not enough to thwart the attack — for the researchers released "unCaptcha2" as a PoC with even better accuracy (91% when compared to unCaptcha's 85%) by using a "screen clicker to move to certain pixels on the screen and move around the page like a human." Tschacher's effort is an attempt to keep the PoC up to date and working, thus making it possible to circumvent the audio version of reCAPTCHA v2 by "Even worse: reCAPTCHA v2 is still used in the new reCAPTCHA v3 as a fallback mechanism," Tschacher noted. With reCAPTCHA used by hundreds of thousands of sites to detect abusive traffic and bot account creation, the attack is a reminder that it's not always foolproof and of the significant consequences a bypass can pose. In March 2018, Google addressed a separate flaw in reCAPTCHA that allowed a web application using the technology to craft a request to "/recaptcha/api/siteverify" in an insecure manner and get around the protection every time. Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post. Sursa: https://thehackernews.com/2021/01/google-speech-to-text-api-can-help.html

Salut, cautam un Senior Penetration Tester pentru echipa noastra. Din echipa facem parte 3 persoane de pe forum si manager-ul nostru. Avem mai multi alti colegi in echipa de security, dar pe partea de pentest (Product Security) noi suntem. Ce facem, in mare: - mult web security - mult code review, ASP.NET, JavaScript, Java dar si altele - sunt si aplicatii desktop, dar au la baza tot tehnologii web (o parte dintre ele) Ca sa nu dezamagim, cautam pe cineva cu foarte multa experienta pe web si sa stie si parte de code review. O parte dintre lucrurile pe care le vom face impreuna tine doar de code review, dar nu va ganditi la ceva extrem de greu. Avem in plan sa facem si red team, external network pentest, cloud security si altele, dar in marea majoritate a timpului cam asta facem. Mentionez asta ca sa nu vina persoane care vor sa faca mult exploit development sau red team. Nu de alta, dar vrem sa vina cineva caruia sa ii placa ce facem. Puteti aplica direct pe site. Daca aveti intrebari, postati aici sau trimiteti-mi un mesaj privat. Descrierea oficiala: At UiPath we see boundless potential in the way we live. It drives the way we work. Our culture is our most valuable asset, that's why it acts like a compass to us. We’re fast, immersed, humble and bold. And that’s not just words on the walls. Eliminating time-consuming tasks means people get to do more of what they love. It’s an inspiring, high stakes challenge that motivates us, and this common passion bonds UiPath employees globally. We all strive every day to be better and to accelerate human achievement. We make robots, but we hire people. Would you like to be part of this journey? UiPath is looking for a senior penetration tester to help and grow the security assessment function related to its products and cloud infrastructure. Your mission: You will develop and apply formal security centric assessments against existing and in-development UiPath products as well as UiPath's cloud environment. You might also be part in other activities such as red teaming, trainings for development teams or management of our bug bounty program. A successful Penetration Tester at UiPath is a self-starter, with strong problem-solving skills. Ability to maneuver in a fast-paced environment is critical, as well as handling ambiguity coupled with a deep grasp of various security threats. As a true owner of security in UiPath, great writing skills are needed, coupled with the ability to interact with stakeholders across multiple departments and teams. The Senior Penetration Tester acts as a mentor for technical peers and can transpose testing strategies and results in high level non-technical language. This is what you'll do at UiPath: Penetration testing on products and cloud infrastructure Security testing of desktop applications (Windows) Source code review (multiple programming lanugages) Recommendation of threat mitigations Security training and outreach to internal development teams Security guidance documentation Security tool development Security metrics delivery and improvements Assistance with recruiting activities This is what you'll bring to UiPath: BS in Computer Science or related field, or equivalent work experience Minimum of 7 years of experience with penetration testing at application and infrastructure layers Minimum of 5 year of experience in working with developers, with personal skills in coding/scripting Good understanding of cyber-attack tools and techniques Good knowledge of attacking services hosted in cloud (Azure, AWS, GCP) Experience writing POCs for discovered vulnerabilities Good knowledge of operating system, network and database security Advanced knowledge and understanding of web application security Experience using various penetration testing tools (such as, BurpSuite, Metasploit, Nessus, etc.) Experience using debuggers, disassemblers for reverse engineering (Ida) Experience with Red Team exercises Experience with multiple programming languages Life at UiPath like a lot of startups, can sometimes feel like a roller coaster. It comes with changes and challenges, but also with the opportunity to shape how work is done, to have great impact and learn a great deal. At UiPath, we value a range of diverse backgrounds experiences and ideas. We pride ourselves on our diversity and inclusive workplace that provides equal opportunities to all persons regardless of age, race, color, religion, sex, sexual orientation, gender identity and expression, national origin, disability, military and/or veteran status, or any other protected classes. UiPath is committed to working with and providing reasonable accommodation to individuals with disabilities. If you have a medical condition or disability which inhibits your ability to complete any part of the application process, and are in need of a reasonable accommodation to complete the process, please contact us @ TALeaders@uipath.com and let us know how we may assist you. This notice together with our Privacy Policy and Terms of Use of this website and any other documents we mention here are meant to inform you on what personal data about you we collect, use, disclose, share or otherwise process when you are applying for a job at UiPath or when UiPath contacts you for recruitment purposes. Please read this policy carefully to understand our views and practices on how we protect your personal data. Link: https://www.uipath.com/company/careers/europe/bucharest/engineering-development/senior-penetration-tester