why does it not work?

[tuta-amb]

according to MDN's browser compatibility chart, my browser (chrome 117) supports almost all features of the payment api, yet the button launches no popup?

could it be something with running on chromeos?

thanks

[akabutnicer]

It has to just be on your side. After testing on v116, it works perfectly fine. Besides the fact it can only load the site for three minutes, I haven't encountered any errors. Again, this exploit was not intended at all, therefore, it would be normal to see bugs and issues. Just try to use the exploit again.

[tuta-amb]

It has to just be on your side. After testing on v116, it works perfectly fine. Besides the fact it can only load the site for three minutes, I haven't encountered any errors. Again, this exploit was not intended at all, therefore, it would be normal to see bugs and issues. Just try to use the exploit again.

Alright. What content blocker do you have? Mine is Lightspeed Filter Systems.

[akabutnicer]

Securly. With Securly's iFrame detection feature, this shows how the payment request API is no where near that of an iFrame. Therefore, it makes 100% why this works, Securly cannot access such a window, hence a bypass.

[akabutnicer]

And, Lightspeed Filter Systems, shouldn't be SO different from Securly, in blocking terminology. If you can, send me the ZIP for your Lightspeed ID, for each one differs.

[tuta-amb]

@xcr15 What is a ZIP for a Lightspeed ID? My school districts postal ZIP code is 13413 if that helps. Thanks for the help.

[akabutnicer]

Nope. Not that, an extension ID, is different. It's a 32-digit code, you could say, that can be dynamically imported by a zip, or from Chrome's webstore, which represents a plugin, or what Chrome calls, an extension. Valid examples of these IDs would be: jfbecfmiegcjddenjhlbhlikcbfmnafd, ghbmnnjooekpmoecnnnilnnbdlolhkhi, and dikiaagfielfbnbbopidjjagldjopbpa, each of these are either hosted on the webstore or from a zip file. To find these IDs, you would either go to chrome://extensions-internals if you are competent with JSON. If not, you would go to chrome://extensions and select the extension you want the ID of (in this case, Lightspeed is), then in the address bar of Chrome, it will input something like: "chrome://extensions/?id=lsid", "lsid" is your ID you want.

[tuta-amb]

Alright, thanks. There's three extensions installed:

• Classroom | Lightspeed Systems - Classroom Management | kkbmdgjggcdajckdlbngdjonpchpaiea |
• Lightspeed Filter Agent | Lightspeed Filter Agent for Chrome | adkcpkpghahmbopkjchobieckeoaoeem |
• Lightspeed Location Agent | Lightspeed Location Agent for Chrome | opckliiodihlmpliejjddbpdjdhdkefm |

I'm pretty sure the classroom one is irrelevant, and the filter agent is the one that is doing the actual redirects. The location agent may just be to track me.

[akabutnicer]

Yes, OK. This is exactly what I am looking for.

[akabutnicer]

For every extension ID, visit the attached URL, but replace "" with the ID you sent. You should be on the extension's manifest page, scroll a little further down, there will be a value with the name of "update_url": "url to copy". You have to copy the URL you see after that value. Then send each one here.

URL: chrome-extension://<extension_id>/manifest.json

[akabutnicer]

If you want, you can just send the filter agent.

[tuta-amb]

Alright, done here: https://gist.github.com/tuta-amb/5f140d4bee187203b9110075b8d3bed6 If you need any more files, such as the script files, I'd be happy to oblige.

[akabutnicer]

OK, very good.

[akabutnicer]

Also, if you mind, you haven't actually told me what the issue was in the first place.

[tuta-amb]

@xcr15 My bad, the issue is that the launch button produces no output. Unfortunately, I cannot share the possible error messages because Developer Tools are disabled.

Screen recording 2023-11-03 11.13.38.webm

[akabutnicer]

Could you perhaps explain to me a simple question, why have you remixed it...? Is the original link blocked? If so, I can check Lightspeed for an unsafe use of "indexOf()", that might be useful.

[akabutnicer]

Also, I will go to that link and open developer tools.

[akabutnicer]

@tuta-amb Why don't you check this URL, it has your answer: https://tuta-amb.github.io/script.js 🤦‍♂️. Your browser is trying to load a file which simply does not exist, or is either in a different directory. Fix that issue then get back to me, please.

[tuta-amb]

@xcr15 bruh I didn't know that, since again I don't have devtools 🤷 Why are the paths specified from root and not relative!?

[tuta-amb]

@xcr15 Ok, well now it works but the window gets immediately closed. Screen recording 2023-11-03 12.33.32.webm

[akabutnicer]

Yes, that's you didn't add the JSON payment files.

[akabutnicer]

@tuta-amb Check the full source, specifically, everything in the /pay/ directory.

[tuta-amb]

@xcr15 Updated the paths to relative, still nothing

[akabutnicer]

@tuta-amb, If you can, please send me the project repository, or directory pictures at the least.

Regards.

[tuta-amb]

@xcr15 I assume you mean my fork of the site? Github Repo

[Aka-but-nice]

This is @xcr15 on his alt, I'm looking at the source and have yet to see an issue with it.

[akabutnicer]

Alright, can you give me the project URL?

[tuta-amb]

@xcr15 What do you mean? I've sent the link to the forked repo, my site is deployed using Github Pages straight from the source.

It could be my filter extension is blocking it, but I doubt that it would have a handler to instantly close all dialogs like these, causing this broken functionality,

[Aka-but-nice]

No. I mean the actual github.io URL you are using. Thought it would be self explanatory, but I guess that's my fault for thinking anyone is above 5 years old.

[tuta-amb]

@xcr15 @AbsolutelyNothingAndNoOne Sorry if I misunderstood you, but I'm pretty sure that you can't say that. "Project URL" is a very generic term, and if you wanted to see the URL of the published site, you could've said something like "final site", "published site", "deployment", etc...

Anyways, like you can see from the video and from the Github repository, the URL is https://tuta-amb.github.io/byebye

[Aka-but-nice]

@tuta-amb Strangely, I just reviewed the source and I don't see any errors at the moment. Again, it could just be the directories. This has a very slight chance of working. However, I want you to replace every /. with /pay/<filename>.

[akabutnicer]

My bad, I meant replace every ./ with /pay/<file_name>

[tuta-amb]

@xcr15 @AbsolutelyNothingAndNoOne I don't believe that would work, since that would be what I started out with lol.

[akabutnicer]

Hm. There's really nothing else I can say. I'm sure it is, but I just have to ask, is buypass.bypassi.com restricted?

[tuta-amb]

@xcr15 That's fine, thanks for helping, and yes, the official website is blocked.

[akabutnicer]

Thought so, well I have done everything I could. The rest is up to you. And besides, the exploit is mid anyway, I recommend you wait a little while until the next one gets posted.