dead8309 / Kizzy

Discord Rich Presence for Android. Made with jetpack compose and material3
https://kizzy.vercel.app
GNU General Public License v3.0
611 stars 64 forks source link

Is this a Self-Bot ? #56

Closed rushiiMachine closed 2 years ago

rushiiMachine commented 2 years ago

Is your feature request related to a problem? Please describe.

No disclaimer in README that this is a selfbot

Describe the solution you'd like

Add a clear and visible warning to the top of the README that this is a selfbot and use this project at your own risk of your account getting banned

dead8309 commented 2 years ago

You should have checked the Docs first.

There is a common misunderstanding that people consider RichPresence as self botting while it is not

First you need to know a little about Self-botting

According to Discord Help Support, Self-botting is specifically the act of automating user

Automated user accounts (self-bots)" is something that "have full access to all API routes without using bearer tokens

Some common examples of self-botting

Self-botting and Websocket connections are different things.

So unless anybody can find additional information, I'm sure that RPC is not at all against TOS (as long as you don't ABUSE IT.)

Here's a reference to reddit post on official discord page:

Custom Rich Presence is not a violation of our Terms at this time. We don't suggest the practice, through, and this may change at some point in the future

Extra Stuffs which probably most people don't know

  1. Discord app itself uses gateway connections in the backend
  2. Have you heard about Samsung Integration?

    It uses a non public API route(which I won't tell here) to post game activity on discord

rushiiMachine commented 2 years ago

Connecting to gateway is still a high risk action, if your payloads and data doesn't match official clients, then that's an easy way to get your account either banned or phone number locked (from experience working on OpenCord).

Discord app itself uses gateway connections in the backend

Of course it does, the point is that its official clients doing it in a way that won't trigger their detection, it's also not against tos because it's their own service

Have you heard about Samsung Integration?

This is not even remotely similar to what you're doing. Samsung integration registers an oauth app that can set your activity by using those oauth credentials (not your accounts!), and therefore bypassing emulating an official client connecting to the gateway

You seem to misquote Discord that connecting to the gateway for activities is okay, however I cannot find anything supporting it, infact only the opposite.

Automating normal user accounts (generally called "self-bots") outside of the OAuth2/bot API is forbidden, and can result in an account termination if found.

Kizzy only connect to the gateway to automate activities which is, by definition, a selfbot.

The reddit link you posted also was from 4y ago, so unless you give me an updated conversation with the T&S team that it's still allowed, I won't believe you. Once Discord bans you for suspicious websicket their review team won't care that it was a Custom RPC selfbot and not just a selfbot, it's still a selfbot.

rushiiMachine commented 2 years ago

Connecting to gateway to set activities ≠ the local rpc server the desktop client hosts

Vendicated commented 2 years ago

Kizzy also sends a very suspicious identify payload that could easily get you phone number locked or banned: https://github.com/dead8309/Kizzy/blob/341192a27646168ee4b8b3be88f070a60b35b3cb/app/src/main/java/com/my/kizzy/rpc/KizzyRPC.kt#L233-L247

You send "intents" which only bots use.

Your properties object is way too minimal, the official client sends around 10 properties here, such as the android version, architecture, discord version, etc. Also what in the world is a "disco". Here's a proper identify properties payload for Windows:

IdentifyProperties{
    Os:                "Windows",
    OsVersion:         "10.0.19044",
    OsArch:            "x64",
    Browser:           "Discord Client",
    SystemLocale:      "en-US",
    ClientVersion:     "1.0.9006",
    ClientBuildNumber: 141635,
    ReleaseChannel:    "stable",
    ClientEventSource: nil,
}

The official client also sends "capabilities", the user version of intents, and the current clientState and presence info

Lying to your users about this app being fully safe to use is very irresponsible. Yes kizzy does have low probability of getting you banned because Discord doesn't moderate it strictly but you should add a clear disclaimer that this is usage of the Discord api in violation of their Terms of Service and may get you suspended

Full payload I dumped from the official client. You can do it on Windows too, just enable Discords Staff Tools and enable its Gateway Logging ```json { "capabilities": 1021, "client_state": { "guild_hashes": {}, "highest_last_message_id": "0", "private_channels_version": "0", "read_state_version": 0, "user_guild_settings_version": -1, "user_settings_version": -1 }, "compress": false, "presence": { "activities": [], "afk": false, "since": 0, "status": "online" }, "properties": { "browser": "Discord Client", "client_build_number": 152131, "client_event_source": null, "client_version": "0.0.20", "os": "Linux", "os_arch": "x64", "os_version": "5.19.13-arch1-1", "release_channel": "stable", "system_locale": "en-GB" }, "token": "yes" } ```
dead8309 commented 2 years ago

Connecting to gateway is still a high risk action, if your payloads and data doesn't match official clients, then that's an easy way to get your account either banned or phone number locked (from experience working on OpenCord).

Discord app itself uses gateway connections in the backend

Of course it does, the point is that its official clients doing it in a way that won't trigger their detection, it's also not against tos because it's their own service

Have you heard about Samsung Integration?

This is not even remotely similar to what you're doing. Samsung integration registers an oauth app that can set your activity by using those oauth credentials (not your accounts!), and therefore bypassing emulating an official client connecting to the gateway

You seem to misquote Discord that connecting to the gateway for activities is okay, however I cannot find anything supporting it, infact only the opposite.

Automating normal user accounts (generally called "self-bots") outside of the OAuth2/bot API is forbidden, and can result in an account termination if found.

Kizzy only connect to the gateway to automate activities which is, by definition, a selfbot.

The reddit link you posted also was from 4y ago, so unless you give me an updated conversation with the T&S team that it's still allowed, I won't believe you. Once Discord bans you for suspicious websicket their review team won't care that it was a Custom RPC selfbot and not just a selfbot, it's still a selfbot.

Connecting to discord gateway is a high risk when there's a clear instructions on how to handle websocket data. The only thing which my app currently doest support is zlib compression to send payloads of lesser size.

dead8309 commented 2 years ago

Kizzy also sends a very suspicious identify payload that could easily get you phone number locked or banned:

https://github.com/dead8309/Kizzy/blob/341192a27646168ee4b8b3be88f070a60b35b3cb/app/src/main/java/com/my/kizzy/rpc/KizzyRPC.kt#L233-L247

You send "intents" which only bots use.

Your properties object is way too minimal, the official client sends around 10 properties here, such as the android version, architecture, discord version, etc. Also what in the world is a "disco". Here's a proper identify properties payload for Windows:

IdentifyProperties{
  Os:                "Windows",
  OsVersion:         "10.0.19044",
  OsArch:            "x64",
  Browser:           "Discord Client",
  SystemLocale:      "en-US",
  ClientVersion:     "1.0.9006",
  ClientBuildNumber: 141635,
  ReleaseChannel:    "stable",
  ClientEventSource: nil,
}

The official client also sends "capabilities", the user version of intents, and the current clientState and presence info

Lying to your users about this app being fully safe to use is very irresponsible. Yes kizzy does have low probability of getting you banned because Discord doesn't moderate it strictly but you should add a clear disclaimer that this is usage of the Discord api in violation of their Terms of Service and may get you suspended

Full payload I dumped from the official client. You can do it on Windows too, just enable Discords Staff Tools and enable its Gateway Logging

{
  "capabilities": 1021,
  "client_state": {
    "guild_hashes": {},
    "highest_last_message_id": "0",
    "private_channels_version": "0",
    "read_state_version": 0,
    "user_guild_settings_version": -1,
    "user_settings_version": -1
  },
  "compress": false,
  "presence": {
    "activities": [],
    "afk": false,
    "since": 0,
    "status": "online"
  },
  "properties": {
    "browser": "Discord Client",
    "client_build_number": 152131,
    "client_event_source": null,
    "client_version": "0.0.20",
    "os": "Linux",
    "os_arch": "x64",
    "os_version": "5.19.13-arch1-1",
    "release_channel": "stable",
    "system_locale": "en-GB"
  },
  "token": "yes"
}

Here , Have a look at what gateway expects us to send.

Vendicated commented 2 years ago

that documentation is for bots exclusively, official clients send vastly different values than documented here

dead8309 commented 2 years ago

No that documentation for the whole gateway connections.

rushiiMachine commented 2 years ago

Sorry, but you're just blatantly wrong. That documentation is for bots only. Discord does not document ways to connect to gw from user accounts

dead8309 commented 2 years ago

Take a look at this and tell me if it was for bots only then why would discord intentionally specify the word "User Status" on its docs page ?

Vendicated commented 2 years ago

Because bots are also users?

Anyway you are blatantly wrong, the official client sends vastly different data. You can verify it yourself by reading literally anything I said or using the webtools to inspect the gateway messages, see for example here how it sends "capabilities", "release_channel" and "client_version"

image

dead8309 commented 2 years ago

If you have read my message about why the data is different you won't be posting the same thing twice. My app only send the least amout of field values required by the gateway

Vendicated commented 2 years ago

My app only send the least amout of field values required by the gateway

Which is extremly suspicious to Discord and a risk for your users' accounts. If you're not gonna add a disclaimer/warning about the risks of using this app, at least make the requests not scream "IM A SELFBOT!!" and make them match official ones fully. That means add the missing fields, use erlpack, use gateway v9, not 10 (or at least properly implement the new changes in v10). And even if you do that there will always be a risk.

Yes this is a selfbot, yes you might potentially get banned for it. It is not likely but the risk is always there

rushiiMachine commented 2 years ago

why would discord intentionally specify the word "User Status" on its docs page ?

Because 1. bots are also users and 2. bots can set their own status and presence as well

That doesn't take away from the fact that many undocumented gateway and API changes are present between bots and regular users, especially for things related to RPC and activities

dead8309 commented 2 years ago

make them match official ones fully. That means add the missing fields

Thanks for this I'll try to add those necessary fields in next patch.

The changes made in v10 are not related to rich presence part

Vendicated commented 2 years ago

the v10 changes directly affect this app and make you look even more suspicious to Discord

I don't understand why it's so hard for you to admit and recognise that this app is not 100% safe and add a disclaimer

https://discord.com/developers/docs/change-log#sessionspecific-gateway-resume-urls

dead8309 commented 2 years ago

I don't understand why it's so hard for you to admit and recognise that this app is not 100% safe and add a disclaimer

Because I haven't found a since source which properly states Gateway connection to set Rich Presence for users is against TOS. If it were, why would discord add User and Bot in different places

https://discord.com/developers/docs/change-log#sessionspecific-gateway-resume-urls

Intresting.. I'll add the gateway_resume_url in next patch. Didn't knew this was also in changelog

dead8309 commented 2 years ago

Because 1. bots are also users and 2. bots can set their own status and presence as well

Bots can only set name , details and state fields all other fields are for user accounts

rushiiMachine commented 2 years ago

properly states Gateway connection to set Rich Presence for users is against TOS

Any connection from not an official client for any type of automation is against TOS. Refer to my quote from the TOS of discord above

I am legitimately confused why you're so reluctant to just warn users that their account is at risk by using this. If I got my account banned by a project that lied to me I would be extremely pissed off. You're saying it's 100% safe when it's simply not true (in it's current state), which doesn't give you a very good image.

dead8309 commented 2 years ago

Okey I'll update the readme. Thanks