Search for Deployment and PrivatelyLinkAction IDs#12
Search for Deployment and PrivatelyLinkAction IDs#12FubyCutie wants to merge 2 commits intoxyzeva:mainfrom
Conversation
Remove hardcoded IDs, in favour of searching for them
unfortunately it doesnt verify on my end (despite it stating it does) :( any recommendations? already restarted the client |
|
The K_ID_PRIVATELY_ACTION_ID parsing logic seems flawed. You're returning Replacing the |
Off by one
|
How can I use this code in place of the url in the script |
good catch, I was just visually verifying the functions returned what I expected in a console, not proper testing (not sure how, never really done web dev), and must've missed that |
what do i replace in the original script to use this, if that's possible? trying to use this before its too late |
|
You dont have to be rude about it lol. I am a developer who doesn't have experience in this |
I unfortunately, have no idea, as mentioned, I don't actually know how to run this, I just made sure what I wrote matches what was there before (incorrectly at first 🙁), and left it at that. I wish you luck, maybe look at the top screenshot? |
The commands in the first screenshot shown in #12 (comment) are basically all you need to run a local instance of this. |
what an insane bullshit to post. you should seriously reconsider your attitude, ffs im lazy myself but im going to explain it very basically:
if this is isnt specific enough, paste my steps into any LLM (chatgpt/whatever) and let it help you |
|
Just saw the edit to the message above Nothing to do with being selfish, if I came across that way then thats on me and I apologies. I have asked for help once and I clearly got ignored (thanks to the people who just commented, statement no longer true). I am ok with that. If a dev who knows what they are doing responds to me, great. I am not wasting anyone's time by posting a message that people can chose not to ignore. |
|
Thank you guys for helping me lmao |
Thank you for your guide, very helpful! Just wanted to share that the script doesn't work, for me at least. 
Edit: fixed an issue with the quote message |
|
unfortunately doesnt work for me too :x |
|
Ohh ok yes sorry haha |
damn, didn't work for me either. although thanks to you I managed to get through all the steps after a couple tries, and now I have some tiny amount of knowledge on how this stuff works, so thanks! |
|
check you haven't just been ratelimited and now it does nothing, after trying a few time i'm getting 429d {"message": "Ton nombre d'actions est limité.", "retry_after": 5264.733, "global": false} |
|
Nope, mine says that it has worked successfully but it doesnt. Maybe we have to wait for a maintainer to solve this? |
|
As of rn they only switched to persona in the UK I believe so we probably have a bit more time |
|
Do you have a source on that? I thought it was just regular a/b testing |
|
I saw it on twitter 😭 but it would probably make sense due to their harsher regulation |
|
Would make sense |
| const randomChoice = <T>(arr: T[]): T => arr[Math.floor(Math.random() * arr.length)]; | ||
|
|
||
| async function getDeploymentId() { | ||
| const body = await fetch('https://assets.k-id.com/family-portal/_next/static/chunks/f5d8702bf5f6d23d.js').then(function(response) { return response.text(); }); |
There was a problem hiding this comment.
When k-id updates things on their end, the chunk hash will change, no? Seems like the JS URLs would also need to be fetched dynamically for this to be effective
There was a problem hiding this comment.
these are included directly in the discord source as far as I could tell, which led me to believe they might be fixed per file, as otherwise they would have to update every time, however I could be mistaken. If you have any idea where these might be fetched from if so, I'll try and figure that out, for now I have no lead on that
There was a problem hiding this comment.
these are included directly in the discord source as far as I could tell, which led me to believe they might be fixed per file, as otherwise they would have to update every time, however I could be mistaken. If you have any idea where these might be fetched from if so, I'll try and figure that out, for now I have no lead on that
links actually come from the HTML source for the https://family.k-id.com/verify? ... page; (also their all prefixed with ?dpl=20260212022457-12a036e-production
which makes some of it easier, no idea how you'd find which one specifically contains the deployment id
There was a problem hiding this comment.
I don't see any reason I couldn't just search every file to find generatePrivatelyLinkAction, however I am currently struggling to even get at the HTML to do that, but I think that is purely a skill issue
There was a problem hiding this comment.
these are included directly in the discord source as far as I could tell, which led me to believe they might be fixed per file, as otherwise they would have to update every time, however I could be mistaken. If you have any idea where these might be fetched from if so, I'll try and figure that out, for now I have no lead on that
links actually come from the HTML source for the https://family.k-id.com/verify? ... page; (also their all prefixed with ?dpl=20260212022457-12a036e-production which makes some of it easier, no idea how you'd find which one specifically contains the deployment id
Just FYI, the deployment ID can also be retrieved from the x-release-version response header of the /verify request.
The private action ID however seems harder to retrieve. Brute forcing, i.e. fetching all JS assets, would work but I think this should be used only if no other solution is found.
Does anyone with Next.js experience know if server action IDs can be retrieved in a smarter way? (Is the asset file defining them findable deterministically?)
honestly this should probably be documented in the readme or something; even if you are vaiguely a 'dev' per-se you might not have ever dealt with Svelte or node before, and it just makes sense to include it ig.. anyway might make a pr for that , |
|
Tried all suggested. It doesn't work. I tried Node.js and Bun. It all appears to work successfully but it doesn't seem to do anything to your account. |
i'm also having the same issue, but with node.js and npm. maybe it's because i'm in the UK and they've switched AV providers? |
No idea. I'm also in that location. Wonder if doing it over VPN would make it work. Can't try it right now though |
same issue here, tried through different countries via VPN, when i start the process manually i am redirected to K-id so i don't think it's due to a different provider being used. If it's any help the browser console outputs error 400 when starting the script complaining about "Bad request" to /age-verification/verify. I can't paste the exact error because i'm getting rate limited now. To clarify: despite the error output in console the script continues and says it verified successfully, however the status does not change in the account and no message is received confirming the verification. I am using the local version of the script, it may be that i set it up wrong but i'm fairily sure i followed the guide and wouldn't know how to check. the node.js console doesn't output any errors other than a 404 on favicon.ico which shouldn't matter |
|
digging through the correct ID is const K_ID_DEPLOYMENT_ID = '20260212022457-12a036e-production'; which also is what the thing to automatically get the ids is giving; they seem to match what im getting on the offical site requests/body wise; however despite that, its still not verifiyng, suggesting some other change was made on k-id side- im trying to figure out what exactly .. but this site is so trash it keeps crashing my firefox as soon as i open camera .. |
if it's any help, i tried both firefox and chrome and still no dice, also tried disabling ublock just in case |
i've apparently reached the maximum amount of attempts for creating a selfie, rate limited on discords side, my main account is already verified (did this earlier and it worked .. ) my alters accounts seem to not even have the verify option in the menu;
the site worked a total of 0 times ever, while trying to test it, fun. |
rate limit on selfies may be temporary, i only tried on my alt for this reason, and i suggest other people do the same unless the script is confirmed working, and don't try more than once on accounts you care about if it fails |
looking in devtools i seem to have a failure reason of "PAYLOAD_BYPASS_ATTEMPT" so yeah i think their fingerprinting this script somehow, its also got a 'max_attempts" and a "attempts", seemingly at 3; anyone who can actually still access the thing (again for some reason all my discord accounts dont seem to have the age verify """feature""" at all; preferably on an alt or throwaway account ... can you try the obvious stuff (i.e changing user agent strings, device stats it sends, etc :? ) .. i thought maybe they changed the aes encryption stuff, because that seems the most logical thing to try change .. but alas i dont know typescript that well to look at anything and well the official site doesn't even fucking work for me; |
|
I'm as much a fan of open source software as anybody. But in this case, since they're clearly looking at this and trying to patch it i believe if the script devs get it working again they should keep the backend private. at the very least until a few days after discord officially rolls AV out worldwide to give as many people as possible the chance to use this script before it gets patched, and make it as hard as possible for discord/kid to break it Security through obscurity is considered bad practice, but revealing your hand to someone while they keep theirs hidden is not a good play. So in my opinion working bypass script backends should stay secret for the time being, to make it harder to patch them out |
to be clear, there is no secure way to do "on device processing" for this sort of thing, it will always be some bullshit obfuscation, but i dont know maybe, but that also can make it look more suspicious. / less trustworthy to users, also worth noting that said there are other tools that have been repeatididly attempted to be blocked by the big company running them, such as (e.g; yt-dlp) , and they still generally work .. these kinds of cat-and-mouse games are usually a loosing battle for the companies trying to push them in the long term every so often youtube tried to block youtube downloaders, and yt-dlp gets updated quickly, .. so i dunno 🤷♀️ but then there are anti-features like Google Device Attestation, which typically have all the bypasses be closed source following this reasoning |
i mean, what is more suspicious / less trustworthy: sending your face to someone that promises to keep it secret or potentially sending your discord info to a malicious guy that could steal your account? I know what i'd rather do. It's true that closed source code is sus, but that's the whole reason why we're here isn't it? If kid open sourced the face verification such that users could actually verify it's entirely client side and could compile and run it locally there would be much less opposition to it. But they won't do that |
|
This is getting off topic so let's just make a recap of things for anyone checking this out:
|
|
Last I checked it said the acc was ratelimited for 2h due to too many test but it's useless to try rn anyway |
no no you see their a company so therefore its totally fine and okay now xS,- please don't think for 5 seconds what the real reaosn behind these """"'safety"""" features are, also don't think too hard about our press release where we say were doing this to .. ' give them agency over their experience.' by denying them agency, and 'safety features that work with teens' that work completley against them and what they'd want; that would be silllyy anyway back on-topic: but also i dont know you can always just do the stupid analog-hole attack of just having a photo of someone else; or like a pic from google, that is assuming you can even get the site to work (i couldn't, lmao) .. they have a camera blacklist so you probably cant use obs, (for i wanted to try use udcd_uvc on the ps vita which is probably not on the blacklist lol) but also i suspect you could just fake the webcam name to be like "HP True Vision HD" or something- or photoshop a picture of some id idfk |
There are fake image verification tools available of varying quality. I have not tested them personally. While they're probably a more robust way to pass the check (as in harder to root out) they're not full bypass scripts as they still require an image, even if it's a 3D model on a screen. |
hence my comparison to the analog-hole (i,e breaking video DRM by pointing a camera at the screen) .. it might work, but it kinda sucks too |
|
just use gmans face or citizen007 from hl2 🔥 |
|
What about not just use AI such as thispersondoesnotexist.com and using photoshop's new Smart Portrait to adjust the face? |
This requires either a fake video stream or some way to fool a real camera. Both are a lot less accessible than just paste some code into the console and slip through their verifier. |
16 participants
Remove hardcoded IDs, in favour of searching for them.