Post AVkWAl6Lw7MjWdjPM0 by moralrecordings@digipres.club
(DIR) More posts by moralrecordings@digipres.club
(DIR) Post #AVkWAexykL6OUvldT6 by moralrecordings@digipres.club
2022-12-11T09:33:23Z
1 likes, 2 repeats
Urgh. Sometime back in September Twitch added a proprietary browser "integrity check" as part of the login process. It is ridiculously sensitive; the only way I can log in with Firefox is with a completely blank profile. Disabling extensions doesn't cut it, tech support doesn't care.Things are dire enough I am reversing the obfuscated JS blob to see what part of the stupid test isn't working.
(DIR) Post #AVkWAgNBW6rIrOZHOa by moralrecordings@digipres.club
2022-12-11T10:13:27Z
1 likes, 0 repeats
oh no a scrambled lookup table with keys scattered through the code how will we ever get past thi oh wait never mind
(DIR) Post #AVkWAhX9CYQESaEkYy by moralrecordings@digipres.club
2022-12-11T10:43:21Z
1 likes, 0 repeats
but they must do this thousands of times surely we will be driven to madness manually editing them all ba oh yeah scripting
(DIR) Post #AVkWAikIh8XODfOlhg by moralrecordings@digipres.club
2022-12-11T10:52:36Z
1 likes, 0 repeats
but but thousands of lines!!! we could be here weeks, perhaps months looking for a lead on what part is doing the chec goddamn it
(DIR) Post #AVkWAk0zyXUM9kDcMy by moralrecordings@digipres.club
2022-12-11T16:45:42Z
1 likes, 0 repeats
I win
(DIR) Post #AVkWAl6Lw7MjWdjPM0 by moralrecordings@digipres.club
2022-12-11T16:50:54Z
1 likes, 0 repeats
Ok, so let's go over what is going on. Logging into Twitch, and in fact lots of actions on Twitch (e.g. claiming the channel point bonus) requires that the browser first passes the integrity check. This involves sending an empty POST request to an URL with two key headers attached.
(DIR) Post #AVkWAmHjXI3zCE40jQ by moralrecordings@digipres.club
2022-12-11T16:57:56Z
1 likes, 0 repeats
The first is x-kpsdk-cd, the excitingly-named "challenge data". This is proof that you did a piddling little bit of busywork based on the current time of day. I have no idea what the point of this is; "challenge-response" normally implies that the server gives you the challenge, but for this one -you- get to pick the 128-bit seed id! So it's more just "response".
(DIR) Post #AVkWAnwBOO0sJxzpQ0 by moralrecordings@digipres.club
2022-12-11T17:05:08Z
1 likes, 0 repeats
And the other is x-kpsdk-ct, the "client token". This is obtained by opening an invisible iframe at a fixed URL, with a one-line script that sends a token over the message passing bus. That's it. That's the unforgeable browser check.
(DIR) Post #AVkWAp558mj3rrARvc by moralrecordings@digipres.club
2022-12-11T17:07:25Z
1 likes, 0 repeats
Knowing all this, I took another look at the successful and failed POSTs to the integrity check. Both have a near-identical request structure. Both get the correct value for x-kpsdk-ct from the iframe. Both send a x-kpsdk-cd object. But on the failed POST, the value for "duration" was always 0.
(DIR) Post #AVkWAqHsegYdbqABW4 by moralrecordings@digipres.club
2022-12-11T17:07:37Z
1 likes, 0 repeats
This is thanks to a little setting in Firefox called privacy.resistFingerprinting, which makes the JavaScript timer less accurate in order to jam exploits. The time delta rounds down to zero, and surprise!!! ILLEGAL BROWSER!
(DIR) Post #AVkWArSYIUgjFEADmy by moralrecordings@digipres.club
2022-12-11T17:08:56Z
1 likes, 0 repeats
For now I fixed it by disabling privacy.resistFingerprinting. Mea culpa, I probably could have found this out without picking apart all the source code, but now we know exactly why it's busted. This whole integrity check SDK looks like snake oil; if there's some kind of magic real-human-browser test going on I am not seeing it.
(DIR) Post #AVlZs7prmVNHVTLmkK by me@mastodon.cysioland.pl
2023-03-25T18:43:45Z
1 likes, 0 repeats
@moralrecordings looks like something engineered to block the privacy.resistFingerprinting crowd