Discord/Twitch/Snapchat age verification bypass

https://age-verifier.kibty.town/

193•JustSkyfall•1h ago

Comments

engelo_b•1h ago

the cat-and-mouse game of digital age verification is such a massive compliance headache. if these guards are this easy to bypass the platforms are basically just checking a box to satisfy regulators while leaving the actual liability wide open. it’s hard to underwrite trust when the verification layer is this brittle.

tentacleuno•1h ago

It was never going to be perfect. I suspect the goal with things like these is to add additional friction to the process, to make it much harder for the general population to bypass them.

consumer451•1h ago

There is a way to do this, where nearly everyone is fine.[0]

However, the orgs don’t get to capture verified adult user identity to pad the value of their user data profiles…

[0] https://blog.google/company-news/inside-google/around-the-gl...

brian-armstrong•55m ago

It seems unlikely that "is user adult" is not already easily modeled by any of these companies to within a very high degree of confidence. Even 15 or 20 years ago Google search could bracket your age pretty effectively. It doesn't seem like this adds metadata that wasn't already there.

chatmasta•6m ago

Google prompts me to verify my age on my account I created in 2004. They’re not trying too hard.

relma2•1h ago

Alright, how long until they patch this? Anyone takin' bets?

cocoto•1h ago

The real and robust method will be generating artificial video input instead of the real webcam. I really don’t think any platform will be able to counter this. If they start requiring to use a phone with harder to spoof camera input, you will simply be able to put the camera in front of a high resolution screen. The cat and mouse game will not last long.

jsheard•1h ago

They already support ID checks as an alternative to face scanning, if the latter proves to be untenable then it's literally a case of flipping a switch to mandate ID instead.

airstrike•54m ago

And lose every user in the process

dark-star•32m ago

I think you massively overestimate how many people actually care.

My guess is that 95% or more of all Discord users do not care and simply upload their selfie or ID card and be done with it. I know I will (although they did say that they expect 80%+ to not require verification since they can somehow infer their age from other parameters)

esseph•4m ago

[delayed]

jasonfarnon•20m ago

Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings.

jasonfarnon•18m ago

Is there any data on what kind of hits to enrollment were taken by facebook, gmail etc when they added requirements like a phone #? Maybe it's buried in their sec filings. Anyway, this "cat and mouse" game is probably irrelevant. They're not looking for and don't need a perfect system. Bc 99% of the public couldn't care less about handing over their information.

arcologies1985•44m ago

They can't feasibly do this in the US since many people don't have drivers licenses or passports.

carcabob•37m ago

Those without driver's licenses or passports can get a state ID card instead, if I'm not mistaken. A pain, but an option.

jsheard•34m ago

Don't you have to be over 18 to get a credit card? How many people wouldn't be able to present a CC or ID?

Denatonium•32m ago

Only to have your own card. You can be an authorized user on a credit card even if you're under 18.

jsheard•30m ago

Ah right. I was wondering why they don't currently accept cards as proof of age in the US, that'll be why.

Gigachad•19m ago

At least in Australia you absolutely can have a debit card under 18 and it’s extremely common for adults to not have a credit card.

jsheard•16m ago

> At least in Australia you absolutely can have a debit card under 18

Steam requires a credit card for age verification in the UK, and doesn't accept debit cards for that purpose, so there's evidently a backend way to tell credit and debit apart.

buzzerbetrayed•32m ago

Yeah that’s not true. It’s a lie. And we all know why it’s a lie. Adults in the US with ID is 99%

bikezen•25m ago

*Citation needed

> Nearly 21 million voting-age U.S. citizens do not have a current (non-expired) driver’s license. Just under 9%, or 20.76 million people, who are U.S. citizens aged 18 or older do not have a non-expired driver’s license. Another 12% (28.6 million) have a non- expired license, but it does not have both their current address and current name. For these individuals, a mismatched address is the largest issue. Ninety-six percent of those with some discrepancy have a license that does not have their current address, 1.5% have their current address but not their current name, and just over 2% do not have their current address or current name on their license. Additionally, just over 1% of adult U.S. citizens do not have any form of government-issued photo identification, which amounts to nearly 2.6 million people.

From https://cdce.umd.edu/sites/cdce.umd.edu/files/pubs/Voter%20I...

jtmarl1n•25m ago

Somehow they don’t have trouble getting an ID when they want to buy alcohol

edm0nd•21m ago

wat. the majority of Americans have a DL, ID, or Passport. What a silly thing to say.

For DL alone:

>Data indicates that approximately 84% to 91% of all Americans hold a driver's license, with roughly 237.7 million licensed drivers in the U.S. as of 2023.

Add in an ID and Passport and we are likely closer to 99%

Forgeties79•37m ago

Most people under the driving age don’t have ID’s, at least in the US.

alright2565•20m ago

ID is much easier to forge, it's just a flat 2-d shape. None of the physical security features come through in images.

junon•17m ago

When I had to prove my passport for my bank over a video call they told me to rotate it around in the sunlight to show that it had the holo-whatever ink. So I wouldn't put it past them.

digiown•10m ago

A call requires a human, which is inherently not scalable. And even humans have trouble distinguishing AI content these days.

beambot•16m ago

Personal Identity Verification (PIV) and Common Access Card (CAC) credentials used by US government & military via NFC already work on web browsers. States should just move to digital IDs stored on smartphones, with chain of trust up through the secure element...

Gigachad•8m ago

The long term solution would have to be some kind of integration with a government platform where the platform doesn’t see your ID and the government doesn’t see what you are signing up for.

I don’t this will happen in the US but I can see it in more privacy responding countries.

Apple and Google may also add some kind of “child flag” parents can enable which tells websites and apps this user is a child and all age checks should immediately fail.

EGreg•1h ago

Actually, there are many ways. For example they change colors on your screen and check in real time how it reflects on your face, eyes, etc. Very hard for a model to be trained to respond this quickly to what's on the screen.

They also have you move your head in multiple directions.

cocoto•56m ago

You could always generate a random face model with real time rendering with enough details to trick any AI detector (or even human) and then you can do real time animation to orders or screen light tricks. You could also simply use some face filter on your face and these ones are really convincing these days (like on Snapchat and such).

EGreg•39m ago

Show me such a model.

It would be interesting to see a model completely indistinguishable from a real human in behavior, as well as real-time reflection off different surfaces, etc.

The next step would be to make a complete digital clone of a person based on surreptitiously recording them with hidden cameras. I doubt it's possible.

ddtaylor•10m ago

This is doable using high end stuff like Runway with a draft quality.

Your better bet would be to generate a face as an image and then you can easily generate that same face in different expected poses and conditions. You can then use existing models where you get to select the starting image and the ending image. Add some filters and noise to just make it look like normal crappy low light camera.

As for the color that's another expected condition and can be overlayed or pre-generated.

toomuchtodo•51m ago

You require a human to identity proof in real life and bind that to a digital identity with a strong authenticator. Anti fraud detection systems can suspend or ban if evasion attempts are detected. Perfect is not the target, it doesn’t have to be.

See: Login.gov (USPS offline proofing) and other national identity systems.

(digital identity is a component of my work)

gruez•48m ago

>You require a human to identity proof in real life and bind that to a digital identity

That's going to be a no from me, dawg. I'm sympathetic to ID checks like if you're buying beer or whatever, but not linking my real life identity to discord or whatever.

toomuchtodo•43m ago

Not my call, it’ll be the law of the land. Some may leave, but most won’t, and that’s good enough for corporate and enterprise value purposes.

Pornhub is fighting state age verification and keeps losing state by state, for example.

wileydragonfly•39m ago

Why should anyone inclined to want to buy beer have to show ID to do it?

toomuchtodo•31m ago

Because you’re required to in all 50 states to prove you’re over 21.

coldpie•25m ago

I don't think that's true? Rather, stores must not sell to anyone under 21. I'm almost 40 and rarely get carded these days.

chrysoprace•30m ago

I don't know how it works where you live, but in many jurisdictions around the world (including the one I live in), you have to provide ID to prove that you're of drinking age.

dark-star•32m ago

You have to show ID to buy beer?

subscribed•26m ago

If you aren't obviously adult then yeah. Where do you live so there are no laws on selling the alcohol to children?

MrDrMcCoy•46m ago

Which is by nature transient. There are many more and quite dangerous strings attached to doing this online. You never know if all parties involved in the verification are trustworthy.

kevinh•40m ago

Alternatively, hand someone $20 and your phone and have them do the verification for you.

pfych•30m ago

This is just what I did, and plan to continue to do.

ddtaylor•15m ago

You can just use a video from YouTube there are people that do it that just don't care

gnarbarian•30m ago

you counter this by using an id verified service like login.gov or okta verify.

That's the endgame and what the EU really wants. No poasting unless they can arrest you for inconvenient memes.

leftouterjoins•20m ago

Yes this is spot on. Apple & Google mobile platforms are locked down tight for this reason. Try installing okta verify on graphene OS. You cannot.

gnarbarian•14m ago

ask me how I know...

monksy•4m ago

They're getting worse with attested and validated environments. This one of the reasons that google is trying to kill sideloaded apps and checking for root access.

Weird thing.. the people who want this validation fully expect for you to pay for, maintain, keep it valid, and pay for upkeep/service for their desires. Honestly, this is something that SHOULD get very aggressive pushback.. but most people accept for no reason.

apeters•17m ago

Wow. The EU.

gnarbarian•4m ago

yes, avoiding EU fines and ensuring availability there is most likely the motivating factor behind the change.

tjpnz•22m ago

Death Stranding 2 photo-mode works well for this.

gclawes•18m ago

Don't Windows Hello camera devices have some kind of hardware attestation? I'm sure verification schemes like this will eventually go down that path soon.

My guess is that's probably one of the reasons Google tried to push for Play Store only apps, provide a measurable/verifiable software chain for stuff like this.

OptionOfT•17m ago

Yes they do. Part of the reason why you can't use certain webcams that are Windows Hello compatible (I.e. with IR) in recent versions of Windows.

ddtaylor•16m ago

I did this with OBS Virtual Camera for a thing in Oregon and it worked.

qwertox•15m ago

you put a flickering light, pwm creating artifacts in the video and have it apologize for it, to hopefully break some watermarks. my led light started acting up since yesterday, i have no other bulb.

bob1029•2m ago

They could do what a bank does and run everyone's ID through chexsystems. It's really hard to defeat this. Fake identities don't exist in the system and stolen ones would get flagged by geographic and time of use rules.

syntaxing•1h ago

Wow that was a fun read, I never thought about the technical implementation of these verification systems.

whh•1h ago

That was fast.

Retr0id•1h ago

Hm, when attempting it I get redirected to https://age-verifier.kibty.town/webview?url=null, which says:

{"error":"error parsing webview url"}

Edit: Apparently my discord account is in some kind of A/B feature test that uses a different verification provider, Persona

taesu•1h ago

doesn't work - request times out.

kotaKat•57m ago

worked here - as soon as i did it i heard a dm ping from the 'official' discord account...

"We determined you're in the adult age group."

scarygliders•53m ago

It does appear to work. I received a message from Discord saying "We determined you're in the adult group. <learn more>"

narrator> And that's when he discovers his account has now been hacked...

;)

0x1ch•39m ago

Worked for me as well. Hopefully my account of 11+ years isn't penalized because of this. Not like it matters because I'll quit anyways if forced to send my face or ID.

dark-star•29m ago

You probably won't even have to validate then. I guess they can safely assume that you didn't create your account when you were 7 years or younger. They said they expect 80% of users or so to be auto-verified by some other means (account age, typing statistics, whatever)

Retr0id•16m ago

My account is almost a decade old and discord is still asking me to complete age verification.

varun_ch•9m ago

Unfortunately I wouldn’t be so sure that there aren’t any 7 year old Discord users

kattagarian•38m ago

i changed the password later just to be sure.

thephotonsphere•43m ago

too late: I have already deleted my Discord account; Twitch is also going to enforce this? hmmm...

dark-star•28m ago

if you don't actively use discord, then this is probably the best solution, I agree

GaryBluto•30m ago

I don't understand why (mostly) young people put so much effort into remaining customers of a service that is actively hostile against them and that they do not like. Does the convenience of remaining on a service you don't like the management of outweigh the mild effort to find an alternative solution?

Anonbrit•28m ago

I don't control most of the discord communities I'm in. Some have been going a long time, and every platform migration sheds and shreds members. The 'mild effort' to move an old community to a new platform more often than not killed the community

GaryBluto•26m ago

> and every platform migration sheds and shreds members.

What's the problem? You're filtering out people who don't really care about participation in whatever group or society is there. People who want to participate will move to an acceptable service and those who feel that is too much effort probably weren't participating much (if at all) anyway - in that case the only difference is the visible list of people with accounts going down, not the actual "users".

KittenInABox•18m ago

I disagree with this sentiment. It is entirely possible that there will be people who are regulars on one platform who are just unable (actually unable or perceives themselves unable) to migrate and the morale lost from losing their regulars is huge. Or a subset who insist on staying, forming their own sub-community, and neither the migrating group nor the people who insist on staying produce enough engagement for the members and so the community as a whole fizzles out. This is all squishiness. There is a reason why deplatforming appears to work in reducing the effectiveness of political groups, even if the people who remain in the community post-deplatforming are hardened in their loyalty to the political policy of the group.

Gigachad•14m ago

The people will just recreate the same community on the same platform without you as the owner. They don’t care about you running it.

It’s also a futile effort since age checks for adult content is becoming the law around the world so soon any platform you move to will have the same checks.

Computer0•28m ago

I am sure that is part of the appeal to the developing mind, the adversarial nature.

GaryBluto•22m ago

Nothing more "adversarial" than continuing to allow a service to leach on whatever information you're giving to it despite it kicking you in the face at every opportunity.

jwkerr•25m ago

Most people don’t really care that their privacy is violated, at least not any more than a superficial “oh well it’s obvious they’re doing that, but what can you do about it!”, no point switching platform if there’s no one there to talk to.

zahlman•25m ago

> the mild effort to find an alternative solution?

Calling it a "mild effort" assumes skills that older generations took for granted but many young people seem to have been actively trained out of. We're past the era where I take for granted that aspiring programmers need to have the basics of a terminal or shell explained to them, into one where they might need an explanation for the basics of a file system and paths. I wouldn't be surprised to hear that hardly any of them could touch-type, either. (I wonder what the speed record is for cell phone text input...)

Yes, they can query a search engine (kind of) or, I guess nowadays, ask ChatGPT. But there's going to be more to setting up an alternative than that. And they need to have the idea that an alternative might exist. (After all, they're asking ChatGPT, not some alternative offering from a company that provides alternatives to Google services....)

herpdyderp•15m ago

> remaining customers of a service that is actively hostile against them and that they do not like

And yet here we all are, still in an uproar every time GitHub goes down. Change is slow, we can't all leave GitHub in a day. Same with Discord users.

Gigachad•15m ago

Why do middle aged people still use Facebook marketplace rather than another platform? Because even if you put in the effort to use something different, you’ll be the only one there.

The effort to coordinate everyone to move at the same time is bordering on impossible.

g947o•7m ago

I mean, it's called a social network

oliyoung•3m ago

> I don't understand why (mostly) young people put so much effort into remaining customers of a service that is actively hostile against them

The Network Effect.

That's it. Their friends are there so they're there.

lelandfe•30m ago

Love that hackers are still using "greetz"

electrotype•18m ago

I'm against workarounds. I'm pro "leaving them and only come back when Digital ID is not required anymore".

monksy•8m ago

This project is something that we would want to archive pretty quickly. I can see those service being upset over that being exposed.

digiown•1m ago

[delayed]

nirav72•8m ago

That worked for me. Got a response on desktop discord client once it was done. Wonder how long before they lock this down.

idontwantthis•1m ago

Is this not easily patched by the provider encrypting and signing the whole payload? I would have thought that would be table stakes for an identity provider.