Developers xyzeva and Dziurwa released an open source script exploiting vulnerabilities in K-ID's age verification system, enabling users to bypass adult verification checks on platforms like Discord and Twitch.
Exploiting Verification Gaps in Social Platforms
A new open source tool claims to bypass mandatory age verification systems on Discord, Twitch, Kick, and Snapchat by exploiting technical weaknesses in K-ID's verification framework. Created by developers xyzeva and Dziurwa, the method works by reverse-engineering the cryptographic and metadata validation processes used by K-ID, the age verification provider adopted by Discord for its global rollout starting March 2024.
Technical Mechanics of the Bypass
The tool operates through two primary vectors:
Discord Console Injection
Users paste a script into Discord's browser console (via F12 developer tools). The script intercepts webpack modules to access Discord's internal API, then triggers a verification request that redirects to a custom webview URL. This mimics legitimate verification flow without actual identity checks.QR Exploit for Twitch/Kick/Snapchat
For other platforms, users capture the QR code URL from the "selfie verification" screen and input it into the tool's interface. The system then generates falsified verification metadata.
Vulnerability Analysis: How K-ID's Security Fails
K-ID uses FaceAssure for facial recognition, but the system relies on metadata analysis rather than raw biometric storage—a privacy feature that becomes its weakness. The tool exploits three specific gaps:
Encryption Flaws: K-ID uses AES-GCM encryption with keys derived from nonce, timestamp, and transaction ID via HKDF-SHA256. The tool replicates this by generating valid
encrypted_payload,auth_tag, and initialization vectors missing in earlier bypass attempts.Prediction Data Manipulation: Post-encryption, K-ID validates facial analysis outputs (
primaryOutputs,outputs, andraws). The tool clones the z-score normalization process used to filter outliers and ensures values likexScaledShiftAmt/yScaledShiftAmtmatch expected parameters.Device and Timing Verification: The system checks camera device names against the user's media devices and validates state transition timestamps. The tool maps these to legitimate device IDs and synchronizes fake timestamps with K-ID's state machine.
Historical Context and Evolution
This approach builds on prior work by developer amplitudes, whose method was patched after FaceAssure hardened checks in late 2023. The current tool addresses new validations added post-patch, including media-device correlation and multi-layer prediction filtering.
Implications and Accessibility
All code is publicly available, raising concerns about misuse by minors circumventing age gates. While developers emphasize transparency ("we have nothing to hide"), the exploit highlights fundamental trade-offs in privacy-first design: K-ID's avoidance of raw biometric storage limits its ability to detect synthetic data.
Platforms face a dilemma—stricter verification could compromise user privacy, while current implementations remain vulnerable to reverse engineering. Discord's upcoming global rollout may accelerate patching efforts, though the open source nature of this tool ensures rapid community adaptation.
For technical review, the verification logic and source code (repository inferred from developer credits) are accessible for scrutiny.
Comments
Please log in or register to join the discussion