Closed rushiiMachine closed 2 years ago
There is a common misunderstanding that people consider RichPresence as self botting while it is not
According to Discord Help Support, Self-botting is specifically the act of automating user
Automated user accounts (self-bots)" is something that "have full access to all API routes without using bearer tokens
Self-botting and Websocket connections are different things.
So unless anybody can find additional information, I'm sure that RPC is not at all against TOS (as long as you don't ABUSE IT.)
It uses a non public API route(which I won't tell here) to post game activity on discord
Connecting to gateway is still a high risk action, if your payloads and data doesn't match official clients, then that's an easy way to get your account either banned or phone number locked (from experience working on OpenCord).
Discord app itself uses gateway connections in the backend
Of course it does, the point is that its official clients doing it in a way that won't trigger their detection, it's also not against tos because it's their own service
Have you heard about Samsung Integration?
This is not even remotely similar to what you're doing. Samsung integration registers an oauth app that can set your activity by using those oauth credentials (not your accounts!), and therefore bypassing emulating an official client connecting to the gateway
You seem to misquote Discord that connecting to the gateway for activities is okay, however I cannot find anything supporting it, infact only the opposite.
Automating normal user accounts (generally called "self-bots") outside of the OAuth2/bot API is forbidden, and can result in an account termination if found.
Kizzy only connect to the gateway to automate activities which is, by definition, a selfbot.
The reddit link you posted also was from 4y ago, so unless you give me an updated conversation with the T&S team that it's still allowed, I won't believe you. Once Discord bans you for suspicious websicket their review team won't care that it was a Custom RPC selfbot and not just a selfbot, it's still a selfbot.
Connecting to gateway to set activities ≠ the local rpc server the desktop client hosts
Kizzy also sends a very suspicious identify payload that could easily get you phone number locked or banned: https://github.com/dead8309/Kizzy/blob/341192a27646168ee4b8b3be88f070a60b35b3cb/app/src/main/java/com/my/kizzy/rpc/KizzyRPC.kt#L233-L247
You send "intents" which only bots use.
Your properties object is way too minimal, the official client sends around 10 properties here, such as the android version, architecture, discord version, etc. Also what in the world is a "disco". Here's a proper identify properties payload for Windows:
IdentifyProperties{
Os: "Windows",
OsVersion: "10.0.19044",
OsArch: "x64",
Browser: "Discord Client",
SystemLocale: "en-US",
ClientVersion: "1.0.9006",
ClientBuildNumber: 141635,
ReleaseChannel: "stable",
ClientEventSource: nil,
}
The official client also sends "capabilities", the user version of intents, and the current clientState and presence info
Lying to your users about this app being fully safe to use is very irresponsible. Yes kizzy does have low probability of getting you banned because Discord doesn't moderate it strictly but you should add a clear disclaimer that this is usage of the Discord api in violation of their Terms of Service and may get you suspended
Connecting to gateway is still a high risk action, if your payloads and data doesn't match official clients, then that's an easy way to get your account either banned or phone number locked (from experience working on OpenCord).
Discord app itself uses gateway connections in the backend
Of course it does, the point is that its official clients doing it in a way that won't trigger their detection, it's also not against tos because it's their own service
Have you heard about Samsung Integration?
This is not even remotely similar to what you're doing. Samsung integration registers an oauth app that can set your activity by using those oauth credentials (not your accounts!), and therefore bypassing emulating an official client connecting to the gateway
You seem to misquote Discord that connecting to the gateway for activities is okay, however I cannot find anything supporting it, infact only the opposite.
Automating normal user accounts (generally called "self-bots") outside of the OAuth2/bot API is forbidden, and can result in an account termination if found.
Kizzy only connect to the gateway to automate activities which is, by definition, a selfbot.
The reddit link you posted also was from 4y ago, so unless you give me an updated conversation with the T&S team that it's still allowed, I won't believe you. Once Discord bans you for suspicious websicket their review team won't care that it was a Custom RPC selfbot and not just a selfbot, it's still a selfbot.
Connecting to discord gateway is a high risk when there's a clear instructions on how to handle websocket data. The only thing which my app currently doest support is zlib compression to send payloads of lesser size.
Kizzy also sends a very suspicious identify payload that could easily get you phone number locked or banned:
You send "intents" which only bots use.
Your properties object is way too minimal, the official client sends around 10 properties here, such as the android version, architecture, discord version, etc. Also what in the world is a "disco". Here's a proper identify properties payload for Windows:
IdentifyProperties{ Os: "Windows", OsVersion: "10.0.19044", OsArch: "x64", Browser: "Discord Client", SystemLocale: "en-US", ClientVersion: "1.0.9006", ClientBuildNumber: 141635, ReleaseChannel: "stable", ClientEventSource: nil, }
The official client also sends "capabilities", the user version of intents, and the current clientState and presence info
Lying to your users about this app being fully safe to use is very irresponsible. Yes kizzy does have low probability of getting you banned because Discord doesn't moderate it strictly but you should add a clear disclaimer that this is usage of the Discord api in violation of their Terms of Service and may get you suspended
Full payload I dumped from the official client. You can do it on Windows too, just enable Discords Staff Tools and enable its Gateway Logging
{ "capabilities": 1021, "client_state": { "guild_hashes": {}, "highest_last_message_id": "0", "private_channels_version": "0", "read_state_version": 0, "user_guild_settings_version": -1, "user_settings_version": -1 }, "compress": false, "presence": { "activities": [], "afk": false, "since": 0, "status": "online" }, "properties": { "browser": "Discord Client", "client_build_number": 152131, "client_event_source": null, "client_version": "0.0.20", "os": "Linux", "os_arch": "x64", "os_version": "5.19.13-arch1-1", "release_channel": "stable", "system_locale": "en-GB" }, "token": "yes" }
Here , Have a look at what gateway expects us to send.
that documentation is for bots exclusively, official clients send vastly different values than documented here
No that documentation for the whole gateway connections.
Sorry, but you're just blatantly wrong. That documentation is for bots only. Discord does not document ways to connect to gw from user accounts
Take a look at this and tell me if it was for bots only then why would discord intentionally specify the word "User Status" on its docs page ?
Because bots are also users?
Anyway you are blatantly wrong, the official client sends vastly different data. You can verify it yourself by reading literally anything I said or using the webtools to inspect the gateway messages, see for example here how it sends "capabilities", "release_channel" and "client_version"
If you have read my message about why the data is different you won't be posting the same thing twice. My app only send the least amout of field values required by the gateway
My app only send the least amout of field values required by the gateway
Which is extremly suspicious to Discord and a risk for your users' accounts. If you're not gonna add a disclaimer/warning about the risks of using this app, at least make the requests not scream "IM A SELFBOT!!" and make them match official ones fully. That means add the missing fields, use erlpack, use gateway v9, not 10 (or at least properly implement the new changes in v10). And even if you do that there will always be a risk.
Yes this is a selfbot, yes you might potentially get banned for it. It is not likely but the risk is always there
why would discord intentionally specify the word "User Status" on its docs page ?
Because 1. bots are also users and 2. bots can set their own status and presence as well
That doesn't take away from the fact that many undocumented gateway and API changes are present between bots and regular users, especially for things related to RPC and activities
make them match official ones fully. That means add the missing fields
Thanks for this I'll try to add those necessary fields in next patch.
The changes made in v10 are not related to rich presence part
the v10 changes directly affect this app and make you look even more suspicious to Discord
I don't understand why it's so hard for you to admit and recognise that this app is not 100% safe and add a disclaimer
https://discord.com/developers/docs/change-log#sessionspecific-gateway-resume-urls
I don't understand why it's so hard for you to admit and recognise that this app is not 100% safe and add a disclaimer
Because I haven't found a since source which properly states Gateway connection to set Rich Presence for users is against TOS. If it were, why would discord add User and Bot in different places
https://discord.com/developers/docs/change-log#sessionspecific-gateway-resume-urls
Intresting.. I'll add the gateway_resume_url in next patch. Didn't knew this was also in changelog
Because 1. bots are also users and 2. bots can set their own status and presence as well
Bots can only set name
, details
and state
fields all other fields are for user accounts
properly states Gateway connection to set Rich Presence for users is against TOS
Any connection from not an official client for any type of automation is against TOS. Refer to my quote from the TOS of discord above
I am legitimately confused why you're so reluctant to just warn users that their account is at risk by using this. If I got my account banned by a project that lied to me I would be extremely pissed off. You're saying it's 100% safe when it's simply not true (in it's current state), which doesn't give you a very good image.
Okey I'll update the readme. Thanks
Is your feature request related to a problem? Please describe.
No disclaimer in README that this is a selfbot
Describe the solution you'd like
Add a clear and visible warning to the top of the README that this is a selfbot and use this project at your own risk of your account getting banned