Looks to me like they’re essentially redirecting the request from the normal api to do age checks to their own api, and just saying “Sure, they’re an adult” to discord (since that is all the “proper” api tells them). There are easy ways for Discord to fix this. So do not expect it to work for long.
What could be risky? Well it seems to be loading some libraries. What are they doing? Don’t know, didn’t check. Probably just keeping the line count of the actual code down. But, who knows?
The other thing (and they of course do need to do this). They pass the full URL that would be sent to the “proper” api to their own. So if there is some private info about you/your account they usually send on, these guys would have that data too.
Just a quick 5 minute look though. I didn’t look too much into it because, I’m not going to use it :P
EDIT: Looks like they actually detail what they do and it seems to involve actually tricking the age verification api too. Interesting stuff. Still not going to do it.
Looks to me like they’re essentially redirecting the request from the normal api to do age checks to their own api, and just saying “Sure, they’re an adult” to discord (since that is all the “proper” api tells them).
Wait… Those amateurs [at discord and the age check company] didn’t even think of signing the check in any way and then verifying the data they get send back? That’s not even hard to implement?!
Well, as I added in the edit. I think they do a bit more and actually fool the verification site since they don’t send the whole image, they do the work locally (which is good, for privacy). So they fake valid looking metadata and then presumably get a signed result back which they dutifully pass on to discord.
The details on how it works from the website for those reading this chain.
"how does this work
k-id, the age verification provider discord uses doesn’t store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details. while this is good for your privacy (well, considering some other providers send actual videos of your face to their servers), its also bad for them, because we can just send legitimate looking metadata to their servers and they have no way to tell its not legitimate.
while this was easy in the past, k-id’s partner for face verification (faceassure) has made this significantly harder to achieve after amplitudes k-id verifier was released, (which doesn’t work anymore because of it.)
with discord’s decision of making the age verification requirement global, we decided to look into it again to see if we can bypass the new checks.
step 1: encrypted_payload and auth_tag
the first thing we noticed that the old implementation doesn’t send when comparing a legitimate request payload with a generated one, is its missing encrypted_payload, auth_tag, timestamp and iv in the body.
looking at the code, this appears to be a simple AES-GCM cipher with the key being nonce + timestamp + transaction_id, derived using HKDF (sha256). we can easily replicate this and also create the missing parameters in our generated output.
step 2: prediction data
heres where it kind of gets tricky, even after perfectly replicating the encryption, our verification attempt still doesn’t succeed, so they must also be doing checks on the actual payload.
after some trial and error, we narrowed the checked part to the prediction arrays, which are outputs, primaryOutputs and raws.
turns out, both outputs and primaryOutputs are generated from raws. basically, the raw numbers are mapped to age outputs, and then the outliers get removed with z-score (once for primaryOutputs and twice for outputs).
there is also some other differences:
XScaledShiftAmt and yScaledShiftAmt in predictions are not random but rather can be one of two values
It is checked that the media name (camera) matches one of your media devices in the array of devices
It is checked if the states completion times match the state timeline
with all of that done, we can officially verify our age as an adult. all of this code is open source and available on github, so you can actually see how we do this exactly."
This is like 20 lines of code, so shouldnt take long to verify for someone that knows what they are doing.
Looks to me like they’re essentially redirecting the request from the normal api to do age checks to their own api, and just saying “Sure, they’re an adult” to discord (since that is all the “proper” api tells them). There are easy ways for Discord to fix this. So do not expect it to work for long.
What could be risky? Well it seems to be loading some libraries. What are they doing? Don’t know, didn’t check. Probably just keeping the line count of the actual code down. But, who knows?
The other thing (and they of course do need to do this). They pass the full URL that would be sent to the “proper” api to their own. So if there is some private info about you/your account they usually send on, these guys would have that data too.
Just a quick 5 minute look though. I didn’t look too much into it because, I’m not going to use it :P
EDIT: Looks like they actually detail what they do and it seems to involve actually tricking the age verification api too. Interesting stuff. Still not going to do it.
Wait… Those amateurs [at discord and the age check company] didn’t even think of signing the check in any way and then verifying the data they get send back? That’s not even hard to implement?!
Well, as I added in the edit. I think they do a bit more and actually fool the verification site since they don’t send the whole image, they do the work locally (which is good, for privacy). So they fake valid looking metadata and then presumably get a signed result back which they dutifully pass on to discord.
The details on how it works from the website for those reading this chain.
"how does this work
k-id, the age verification provider discord uses doesn’t store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details. while this is good for your privacy (well, considering some other providers send actual videos of your face to their servers), its also bad for them, because we can just send legitimate looking metadata to their servers and they have no way to tell its not legitimate. while this was easy in the past, k-id’s partner for face verification (faceassure) has made this significantly harder to achieve after amplitudes k-id verifier was released, (which doesn’t work anymore because of it.)
with discord’s decision of making the age verification requirement global, we decided to look into it again to see if we can bypass the new checks. step 1: encrypted_payload and auth_tag
the first thing we noticed that the old implementation doesn’t send when comparing a legitimate request payload with a generated one, is its missing encrypted_payload, auth_tag, timestamp and iv in the body.
looking at the code, this appears to be a simple AES-GCM cipher with the key being nonce + timestamp + transaction_id, derived using HKDF (sha256). we can easily replicate this and also create the missing parameters in our generated output. step 2: prediction data
heres where it kind of gets tricky, even after perfectly replicating the encryption, our verification attempt still doesn’t succeed, so they must also be doing checks on the actual payload.
after some trial and error, we narrowed the checked part to the prediction arrays, which are outputs, primaryOutputs and raws.
turns out, both outputs and primaryOutputs are generated from raws. basically, the raw numbers are mapped to age outputs, and then the outliers get removed with z-score (once for primaryOutputs and twice for outputs).
there is also some other differences:
XScaledShiftAmt and yScaledShiftAmt in predictions are not random but rather can be one of two values It is checked that the media name (camera) matches one of your media devices in the array of devices It is checked if the states completion times match the state timeline
with all of that done, we can officially verify our age as an adult. all of this code is open source and available on github, so you can actually see how we do this exactly."
Better to just ditch discord anyways ;)