Status code: 478 = Banned?

Issue #28 resolved

Kian Lütke created an issue 2017-02-04

Trying request to https://api.go-tellm.com/api/v2/users/location
Get params: None
Token valid until: 2017-02-11 09:11:22
Request to https://api.go-tellm.com/api/v2/users/location successful (204)
Trying request to https://api.go-tellm.com/api/v2/posts/5840831bd2170361056d0861/upvote/
Get params: None
Token valid until: 2017-02-11 09:11:22
Request to https://api.go-tellm.com/api/v2/posts/5840831bd2170361056d0861/upvote/ failed:
Status code: 478
Text: 478

Whatever I do: trying to post or just upvote a post I get these Status Code...am I banned or someone else ever got this status code?

Comments (29)

Kian Lütke reporter
tried now on a different server(different UID, different IP) same status code :(
- 2017-02-04T16:04:00+00:00
Christian Fibich repo owner
Confirmed. They must've added some parameter to authentication.
- 2017-02-04T16:16:38+00:00
Kian Lütke reporter
to bad. I hope we'll find away fix this. Keep us updated if u get some further.
- 2017-02-04T16:19:15+00:00
Robin Buse
I noticed that /v3/user/config returns "verified": true for accounts that were created on my phones and "verified": false for accounts created by OJOC. Maybe there's a correlation, since verified accounts work as intented, whereas unverified accounts return 478 when trying to post or vote.
- 2017-02-04T20:07:44+00:00
Kian Lütke reporter
hm okay...so there must be any kind of verification now...there were no update for the app so maybe server sided only..the question is now where is the difference between a phones account and an ojoc one
- 2017-02-05T00:53:15+00:00
Kian Lütke reporter
@0ip would u share how to reproduce this? :) thanks
- 2017-02-10T11:52:31+00:00
Christian Fibich repo owner
Ok, I've decompiled the app now and there seem to be new requests

/v3/user/verification/imageCaptcha

and

/v3/user/verification/push

A GET request to /v3/user/verification/imageCaptcha yields something like this:
```
{u'image_url': u'https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/img_5_6_8.png',
 u'key': u'58788f8ef8ed0401b26b8b94',
 u'image_size': 245}
```
The image, however, does not contain a visible Captcha Code. So, it's maybe distorted using the key?

From the decompiled App I get the Idea that the image may be cut into sub images for captcha validation. So... counting objects?
- 2017-02-10T13:06:20+00:00
Christian Fibich repo owner
The key is needed in the POST request to /v3/user/verification/imageCaptcha which requires:
- the key
- an int[] answer
- 2017-02-10T13:09:16+00:00
Christian Fibich repo owner
A POST request to /v3/user/verification/imageCaptcha with a correct key but wrong answer yields
```
{u'verified': False}
```
So I believe cracking the captcha is the way to go
- 2017-02-10T13:17:02+00:00
Christian Fibich repo owner
LOL, captcha cracked:

GET /v3/user/verification/imageCaptcha yields image URL

in the format:

https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/img_([0-9]_)+.png

so, e.g.,

https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/img_5_6_8.png

Now, take the numbers (5,6,8), slap them into a list, transmit them as "answer" aaand... {u'verified': True}

No doubt this will break soon...
- 2017-02-10T13:40:18+00:00
Konsul
Great work! But how can the App Vote before sending data to GET /v3/user/verification/imageCaptcha. I sniffed the https traffic directly after install and I found no connection to /v3/user/verification/imageCaptcha
- 2017-02-10T14:32:02+00:00
Christian Fibich repo owner
Was there a connection to /v3/user/verification/push? Maybe there's an alternative way to verify via the Google API push tokens.

Also, if your phone already got a valid access token, there's no need to verify. Maybe the access token was somehow left over?
- 2017-02-10T14:39:08+00:00
Konsul
1. request to google.com/loc/m/api
2. request to /v2/users/location with Unauthorized response
3. /v2/users to get token
4. /v3/user/config with response "verified": true
Nothing between that and voting worked
- 2017-02-10T14:45:35+00:00
Robin Buse
Good work, but but it seems they already changed the captcha mechanism: https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/D3SKGYMB0C.png
- 2017-02-10T16:19:10+00:00
Robin Buse
Fortunately, the only thing that has changed is the URL. The previous mechanism still works, i.e. responding with an array containing all the positions that have a hidden raccoon. It cannot be automated anymore though, unless we develop some ML algorithm that detects raccoons :D
- 2017-02-10T16:48:15+00:00
Christian Fibich repo owner
but but it seems they already changed the captcha mechanism

OK, that was expected.

Now, OJOC/Connection.py prints out the URL on the terminal and prompts for the positions of the racoons as a quick fix.

unless we develop some ML algorithm that detects racoons :D

Maybe as a research paper? ;-)
- 2017-02-10T17:41:07+00:00
Robin Buse
Probably not, but maybe a bachelor thesis that demonstrates the usage of TensorFlow/Keras in this case :)
- 2017-02-10T19:11:02+00:00
Christian Fibich repo owner
- changed status to resolved
Resolved by implementing captcha verification
- 2017-02-15T11:58:59+00:00

Loewe1000

Hey guys. So I noticed that the captchas are quite repetitive. There are approximately 30 images which repeat themselves over and over. The filename tells us the solution (if the captcha was answered once manually). This is a list between filename and solution:

"1CEAFRH69O" => "7-8",
"2QT6JRL06T" => "1-2",
"4GEIEE5P8P" => "2-6-8",
"5VI2JTJYWY" => "0-5",
"6UHC4L53DG" => "0-2-3",
"18FTBXVIJC" => "1-3-5",
"AKWROEYSD3" => "1-5-7",
"BL5901E1JS" => "0-4",
"BNB1P58AJ6" => "4",
"CORKCXU0TA" => "2-4-5",
"D3SKGYMB0C" => "1",
"DB96PZYUM7" => "2-7",
"EJSHC2LTY1" => "5-6-8",
"G6X12MP9DW" => "3",
"IGDPXAFRE8" => "1-6-7",
"IH92Z2ETIE" => "1-2-7",
"JGA66GP5TG" => "1-5-8",
"KUD8PU6UAB" => "5",
"MF7ZX46TQQ" => "0-1-8",
"MFDV8CMHHG" => "2-7-8",
"MI9R8R1YIZ" => "1-7-8",
"NI1A0RU1VJ" => "3-4-6",
"OFJP966MXD" => "1-4-6",
"OQZBADCV8I" => "2-5-8",
"QNLPAJ8XGM" => "3-7-8",
"RXNR1VZPUC" => "0-4-6",
"YLJB76EJDY" => "3-4",
"YO9E3X95IG" => "0-1-7",
"ZJP7PW2LRG" => "4-5"

Maybe you could use that in some way.

2017-02-19T01:31:11+00:00

Kian Lütke reporter

    def verify_captcha(self):
        solutions = {   "1CEAFRH69O" : [7, 8],
                        "2QT6JRL06T" : [1, 2],
                        "4GEIEE5P8P" : [2, 6, 8],
                        "5VI2JTJYWY" : [0, 5],
                        "6UHC4L53DG" : [0, 2, 3],
                        "18FTBXVIJC" : [1, 3, 5],
                        "AKWROEYSD3" : [1, 5, 7],
                        "BL5901E1JS" : [0, 4],
                        "BNB1P58AJ6" : [4],
                        "CORKCXU0TA" : [2, 4, 5],
                        "IH92Z2ETIE" : [1, 2, 7],
                        "JGA66GP5TG" : [1, 5, 8],
                        "KUD8PU6UAB" : [5],
                        "MF7ZX46TQQ" : [0, 1, 8],
                        "MFDV8CMHHG" : [2, 7, 8],
                        "MI9R8R1YIZ" : [1, 7, 8],
                        "NI1A0RU1VJ" : [3, 4, 6],
                        "OFJP966MXD" : [1, 4, 6],
                        "OQZBADCV8I" : [2, 5, 8],
                        "QNLPAJ8XGM" : [3, 7, 8],
                        "RXNR1VZPUC" : [0, 4, 6],
                        "YLJB76EJDY" : [3, 4],
                        "YO9E3X95IG" : [0, 1, 8],
                        "ZJP7PW2LRG" : [4, 5],
                        "DB96PZYUM7" : [2, 7],
                        "D3SKGYMB0C" : [1],
                        "EJSHC2LTY1" : [5, 6, 8],
                        "IGDPXAFRE8" : [1, 6, 7],
                        "G6X12MP9DW" : [3]}

        captcha  = self.get_captcha()
        prompt = 'Open\n\n\t'+captcha['image_url']+'\n\nin a browser and enter the images of the racoons (left to right, starting with 0) separated with spaces.'
        captchakey = captcha['image_url']
        captchakey = captchakey[-14:-4]
        solution = []
        ok = False

        for key in solutions:
            if key == captchakey:
                ok = True
                solution = solutions.get(key)

        while ok is not True:
            rv = raw_input(prompt+'\n> ')
            try:
               solution = [int(i,10) for i in rv.split(' ')]
               ok = True
            except ValueError as e:
               print "Invalid input, try again"

        verified = self.post_captcha(captcha['key'],solution)
        if verified is False:
            raise ValueError("Could not Verify")

I added a few missing captchas and changed the function, its working :) Thank you @Loewe1000

I dont know how to make a pull request lol @cfib90 maybe u could commit this :)

2017-02-19T12:19:17+00:00

Christian Fibich repo owner
Thanks @Loewe1000 and @Kian1991. I added this string-based method and also a method based on the MD5 hashes of the images.
- 2017-02-19T18:23:30+00:00
Benedetto Nespoli
Hello, i just checked and it seems that the captchas URL now is similar to

https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/e7970ed0-f780-11e6-81e2-b5685175817d.png

Have they randomized the url, since they just need the key to check the captcha? Don't know

We could check just the MD5, but it seems that now they have many more than 30 captchas
- 2017-03-01T12:46:13+00:00
Christian Fibich repo owner
That looks like a UUID4 suggesting that they generate the images randomly, don't know if checking MD5 makes any sense.
- 2017-03-01T15:05:09+00:00
Benedetto Nespoli
Thank you for your response @cfib90. Ok, so that sounds a good start point for a pattern recognition system, I will try something

Anyway I want you to know that I really appreciate your work and your suggestions.
- 2017-03-01T19:34:11+00:00
Benedetto Nespoli
I just do this with c++ and opencv3:

Tested on just two images. I know this is a bit off-topic, but I want to share this fact with you, hoping that can help someone someday
- 2017-03-02T20:16:15+00:00
Christian Fibich repo owner
Looks good. How is it performance-wise?
- 2017-03-02T20:23:42+00:00
Benedetto Nespoli
0.85 sec average time, using SIFT and Brute Force Matcher on a Celeron n2830 (a very low power consuming cpu with very low performance)

I think I could improve it using the FAST detector and the FLANN Matcher, but less than 1 sec on a low end pc seems good to me

Here you can find the code, if you are interested. It is not optimized though
- 2017-03-02T20:31:18+00:00
Robin Buse
Interesting, thanks! I noticed, however, that it's not always reliable. For example in 568, it doesn't detect 5 at all.

To achieve more reliability, I had some luck adding and detecting a second racoon image (racoon2.png, distance 0.55).

In other words, the captcha is effectively broken :P It was an interesting challenge, but I think it shouldn't be integrated in OJOC. It's a cat-and-mouse game nobody wants to play any longer.
- 2017-03-03T01:07:02+00:00
Nils Borrmann
I applaud your effort, but you guys are overengineering way too hard.

There's only 129 solutions to the captcha, so we can just bruteforce the thing. I also noticed that solutions with just one racoon are heavily overrepresented (They probably decide first on the number of racoons with 1/3 probability each). Using the answer [3] it never took more than 30 tries to validate the account (mostly it was <10 tries).

You'll run into 478 rate-limits, but those are tied to the account, so just create a new one when that happens.
- 2017-03-07T17:04:15+00:00
Log in to comment

Assignee: –

Type: bug

Priority: blocker

Status: resolved

Votes: 1

Watchers: 1