Status code: 478 = Banned?
Trying request to https://api.go-tellm.com/api/v2/users/location
Get params: None
Token valid until: 2017-02-11 09:11:22
Request to https://api.go-tellm.com/api/v2/users/location successful (204)
Trying request to https://api.go-tellm.com/api/v2/posts/5840831bd2170361056d0861/upvote/
Get params: None
Token valid until: 2017-02-11 09:11:22
Request to https://api.go-tellm.com/api/v2/posts/5840831bd2170361056d0861/upvote/ failed:
Status code: 478
Text: 478
Whatever I do: trying to post or just upvote a post I get these Status Code...am I banned or someone else ever got this status code?
Comments (29)
-
reporter -
repo owner Confirmed. They must've added some parameter to authentication.
-
reporter to bad. I hope we'll find away fix this. Keep us updated if u get some further.
-
I noticed that
/v3/user/config
returns"verified": true
for accounts that were created on my phones and"verified": false
for accounts created by OJOC. Maybe there's a correlation, since verified accounts work as intented, whereas unverified accounts return 478 when trying to post or vote. -
reporter hm okay...so there must be any kind of verification now...there were no update for the app so maybe server sided only..the question is now where is the difference between a phones account and an ojoc one
-
reporter @0ip would u share how to reproduce this? :) thanks
-
repo owner Ok, I've decompiled the app now and there seem to be new requests
/v3/user/verification/imageCaptcha
and
/v3/user/verification/push
A GET request to
/v3/user/verification/imageCaptcha
yields something like this:{u'image_url': u'https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/img_5_6_8.png', u'key': u'58788f8ef8ed0401b26b8b94', u'image_size': 245}
The image, however, does not contain a visible Captcha Code. So, it's maybe distorted using the key?
From the decompiled App I get the Idea that the image may be cut into sub images for captcha validation. So... counting objects?
-
repo owner The key is needed in the POST request to
/v3/user/verification/imageCaptcha
which requires:- the key
- an
int[]
answer
-
repo owner A POST request to
/v3/user/verification/imageCaptcha
with a correct key but wrong answer yields{u'verified': False}
So I believe cracking the captcha is the way to go
-
repo owner LOL, captcha cracked:
GET
/v3/user/verification/imageCaptcha
yields image URLin the format:
https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/img_([0-9]_)+.png
so, e.g.,
https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/img_5_6_8.png
Now, take the numbers (5,6,8), slap them into a list, transmit them as "answer" aaand...
{u'verified': True}
No doubt this will break soon...
-
Great work! But how can the App Vote before sending data to GET /v3/user/verification/imageCaptcha. I sniffed the https traffic directly after install and I found no connection to /v3/user/verification/imageCaptcha
-
repo owner Was there a connection to
/v3/user/verification/push
? Maybe there's an alternative way to verify via the Google API push tokens.Also, if your phone already got a valid access token, there's no need to verify. Maybe the access token was somehow left over?
-
- request to google.com/loc/m/api
- request to /v2/users/location with Unauthorized response
- /v2/users to get token
- /v3/user/config with response "verified": true
Nothing between that and voting worked
-
Good work, but but it seems they already changed the captcha mechanism:
https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/D3SKGYMB0C.png
-
Fortunately, the only thing that has changed is the URL. The previous mechanism still works, i.e. responding with an array containing all the positions that have a hidden raccoon. It cannot be automated anymore though, unless we develop some ML algorithm that detects raccoons :D
-
repo owner but but it seems they already changed the captcha mechanism
OK, that was expected.
Now,
OJOC/Connection.py
prints out the URL on the terminal and prompts for the positions of the racoons as a quick fix.unless we develop some ML algorithm that detects racoons :D
Maybe as a research paper? ;-)
-
Probably not, but maybe a bachelor thesis that demonstrates the usage of TensorFlow/Keras in this case :)
-
repo owner - changed status to resolved
Resolved by implementing captcha verification
-
Hey guys. So I noticed that the captchas are quite repetitive. There are approximately 30 images which repeat themselves over and over. The filename tells us the solution (if the captcha was answered once manually). This is a list between filename and solution:
"1CEAFRH69O" => "7-8", "2QT6JRL06T" => "1-2", "4GEIEE5P8P" => "2-6-8", "5VI2JTJYWY" => "0-5", "6UHC4L53DG" => "0-2-3", "18FTBXVIJC" => "1-3-5", "AKWROEYSD3" => "1-5-7", "BL5901E1JS" => "0-4", "BNB1P58AJ6" => "4", "CORKCXU0TA" => "2-4-5", "D3SKGYMB0C" => "1", "DB96PZYUM7" => "2-7", "EJSHC2LTY1" => "5-6-8", "G6X12MP9DW" => "3", "IGDPXAFRE8" => "1-6-7", "IH92Z2ETIE" => "1-2-7", "JGA66GP5TG" => "1-5-8", "KUD8PU6UAB" => "5", "MF7ZX46TQQ" => "0-1-8", "MFDV8CMHHG" => "2-7-8", "MI9R8R1YIZ" => "1-7-8", "NI1A0RU1VJ" => "3-4-6", "OFJP966MXD" => "1-4-6", "OQZBADCV8I" => "2-5-8", "QNLPAJ8XGM" => "3-7-8", "RXNR1VZPUC" => "0-4-6", "YLJB76EJDY" => "3-4", "YO9E3X95IG" => "0-1-7", "ZJP7PW2LRG" => "4-5"
Maybe you could use that in some way.
-
reporter def verify_captcha(self): solutions = { "1CEAFRH69O" : [7, 8], "2QT6JRL06T" : [1, 2], "4GEIEE5P8P" : [2, 6, 8], "5VI2JTJYWY" : [0, 5], "6UHC4L53DG" : [0, 2, 3], "18FTBXVIJC" : [1, 3, 5], "AKWROEYSD3" : [1, 5, 7], "BL5901E1JS" : [0, 4], "BNB1P58AJ6" : [4], "CORKCXU0TA" : [2, 4, 5], "IH92Z2ETIE" : [1, 2, 7], "JGA66GP5TG" : [1, 5, 8], "KUD8PU6UAB" : [5], "MF7ZX46TQQ" : [0, 1, 8], "MFDV8CMHHG" : [2, 7, 8], "MI9R8R1YIZ" : [1, 7, 8], "NI1A0RU1VJ" : [3, 4, 6], "OFJP966MXD" : [1, 4, 6], "OQZBADCV8I" : [2, 5, 8], "QNLPAJ8XGM" : [3, 7, 8], "RXNR1VZPUC" : [0, 4, 6], "YLJB76EJDY" : [3, 4], "YO9E3X95IG" : [0, 1, 8], "ZJP7PW2LRG" : [4, 5], "DB96PZYUM7" : [2, 7], "D3SKGYMB0C" : [1], "EJSHC2LTY1" : [5, 6, 8], "IGDPXAFRE8" : [1, 6, 7], "G6X12MP9DW" : [3]} captcha = self.get_captcha() prompt = 'Open\n\n\t'+captcha['image_url']+'\n\nin a browser and enter the images of the racoons (left to right, starting with 0) separated with spaces.' captchakey = captcha['image_url'] captchakey = captchakey[-14:-4] solution = [] ok = False for key in solutions: if key == captchakey: ok = True solution = solutions.get(key) while ok is not True: rv = raw_input(prompt+'\n> ') try: solution = [int(i,10) for i in rv.split(' ')] ok = True except ValueError as e: print "Invalid input, try again" verified = self.post_captcha(captcha['key'],solution) if verified is False: raise ValueError("Could not Verify")
I added a few missing captchas and changed the function, its working :) Thank you @Loewe1000
I dont know how to make a pull request lol @cfib90 maybe u could commit this :)
-
repo owner Thanks @Loewe1000 and @Kian1991. I added this string-based method and also a method based on the MD5 hashes of the images.
-
Hello, i just checked and it seems that the captchas URL now is similar to
https://s3-eu-west-1.amazonaws.com/jodel-image-captcha/e7970ed0-f780-11e6-81e2-b5685175817d.png
Have they randomized the url, since they just need the key to check the captcha? Don't know
We could check just the MD5, but it seems that now they have many more than 30 captchas
-
repo owner That looks like a UUID4 suggesting that they generate the images randomly, don't know if checking MD5 makes any sense.
-
Thank you for your response @cfib90. Ok, so that sounds a good start point for a pattern recognition system, I will try something
Anyway I want you to know that I really appreciate your work and your suggestions.
-
I just do this with c++ and opencv3:
Tested on just two images. I know this is a bit off-topic, but I want to share this fact with you, hoping that can help someone someday
-
repo owner Looks good. How is it performance-wise?
-
0.85 sec average time, using SIFT and Brute Force Matcher on a Celeron n2830 (a very low power consuming cpu with very low performance)
I think I could improve it using the FAST detector and the FLANN Matcher, but less than 1 sec on a low end pc seems good to me
Here you can find the code, if you are interested. It is not optimized though
-
Interesting, thanks! I noticed, however, that it's not always reliable. For example in 568, it doesn't detect 5 at all.
To achieve more reliability, I had some luck adding and detecting a second racoon image (racoon2.png, distance 0.55).
In other words, the captcha is effectively broken :P It was an interesting challenge, but I think it shouldn't be integrated in OJOC. It's a cat-and-mouse game nobody wants to play any longer.
-
I applaud your effort, but you guys are overengineering way too hard.
There's only 129 solutions to the captcha, so we can just bruteforce the thing. I also noticed that solutions with just one racoon are heavily overrepresented (They probably decide first on the number of racoons with 1/3 probability each). Using the answer
[3]
it never took more than 30 tries to validate the account (mostly it was <10 tries).You'll run into 478 rate-limits, but those are tied to the account, so just create a new one when that happens.
- Log in to comment
tried now on a different server(different UID, different IP) same status code :(