22

  • Twitch stopped to recgonise the browser independent of configuration

  • BugsDesktopDone

Can anyone confirm in the new RC released today ? (from #rc-builds om discord)

    So just tried this with the latest RC and its still failing on the integrity check even with compatability mode active.

    But I was having a poke at this on the weekend and I am pretty sure this is not due to a header mismatch but actually due to Kasada Anit-Bot. I stripped off the first level of obfuscation so that the javascript was more readable and can see that this library will inject the kpsdk headers:

    x-kpsdk-cd: {"workTime":1679309802217,"id":"c4425fd69e35668169c976369a631c0b","answers":[7,2],"duration":1,"d":274,"st":1679309796816,"rst":1679309796964}
    x-kpsdk-ct: 0Puw0EeZkC9yS9DOlHlCrb1DNi2WgLzYavzZk6ZYsNZXaqZmteeK7fDaMpCXRws7JthROON6Te3JHdTzHWsMpT4q300AFKJOQBxgZTUR2Ka5d6YKvK0gsob72a26yO2zGqD5Cw89FiE7BoJVAhCw0yimP

    I did not have time to dig further to fully confirm as it seems like the timings here are really tight so I need to script some stuff up in MITM to be totally sure that Kasada is the issue. Or it could be that this is totally incorrect and something else is the issue.

      Okay so have made a bit more progress on this, looks like the culprit here is the x-kpsdk-ct aka the client token. The current work around I have found is that if you take a valid client token from another cookie store i.e. safari and insert that into the Orion cookie store, the browser is then deemed valid.

      Looks like the next step is going to be sifting through the obfuscated code to see how the client token is created, hopefully there is something obvious that will elude as to why Orion is failing the checks.

      • Vlad replied to this.

        @alexkornitzer thank you for your dedication on this. My 5 cents:

        I've been able to log in several weeks ago without any issues using an RC version. It obviously became problematic once I got logged out. However, I've noticed there was an issue with their GraphQL API even before I got logged out. Twitch has a functionality which allows you to sort of "announce" a resubscription to a streamer in the chat. It shows a popup allowing you to share a custom message. This worked, however submitting this form yielded a checksum error on the GraphQL API. This might be related to their new anti-bot protection, or maybe not, who knows.

          I just ran into this too. (Switched from another browser). Trying to log into Twitch and am seeing this error. Is there any movement on fixing this? This makes Orion useless to me.

          FWIW. Safari Technology Preview also has the same problem, normal Safari logs in just fine.

          • Vlad replied to this.

            jtsom That seems to indicate the probem is with WebKit.

            Someone should post an issue on webkit.org

            https://webkit.org/reporting-bugs/

            and confirm here with the ticket link. They are usually pretty fast to fix these.

                Are we sure its actually a bug with the engine and not a breakage by design that is due to it not being a supported browser. The scripts employed by the site will intentionally create fingerprints to block unknown browsers...

                I haven't had time to reverse the fingerprint fp endpoint yet.

                  FWIW, Safari Technical Preview V166 has fixed the issue.

                    Steps to reproduce: Tried to login with my account and got the message: "Your browser is not currently supported. Please use a recommended browser or learn more here." Tried everything from clearing cache to use "Compatibility mode" and nothing worked.

                    Expected behavior: Log in as normal.

                    Orion, OS version; hardware type: Orion 0.99.123.3-beta on a Mac Studio running Mac OS Ventura 13.2.1

                    Image/Video:

                      Merged 1 post from Twitch not letting me log in in Orion.

                        We will be upgrading to same WebKit or newer.

                          7 days later

                          I sincerely don't know if it's correlated but I went in the settings > web sites > content block > added www.twitch.tv (block active) and now the problem seems to be gone.

                          Last time I tried without this escamotage and had the recommended browser error was about a week ago, I do not know if in the mean time the error was already gone, anyway now I can use twitch with my account on Orion

                            Cizzle4 I just went to try that and noticed that twitch.tv was already in the list, and set to "On". I removed twitch.tv and went to log in again, and got past entering my user id and password (got to the enter TFA code, which I never got to in the past. Go figure...

                              alexkornitzer When to expect this release? And do we need to put twitch into block content or not?

                              Good job anyway!

                              • Vlad replied to this.

                                  Ironically enough, I've been able to login with the previous RC (0.99.123.3.3-rc) for a few days already, either Twitch decided to do a little bit of trolling or there's a certain randomness to this antibot protection. I've just updated to .4-rc and thankfully, it's working as well 🙂