jleclanche
commented
1 year ago If you want to fix it and submit a patch I will review and merge it, but in general I don't have a way of actively maintaining it.
Open mx03 opened 1 year ago
jleclanche
commented
1 year ago If you want to fix it and submit a patch I will review and merge it, but in general I don't have a way of actively maintaining it.
J4bber
commented
1 year ago I am guessing the overall method for api is different now so not working... Its been 10 years since I worked with python, so I'll just use the ios authenticator.
mx03
commented
1 year ago Yes as blizzard deprecated the battlenet authenticator and replaced it with battlenet messenger with authenticator included, they changed probably the api endpoints. I already looked a little bit how the new works but didn't find something.
mx03
commented
1 year ago I tracked the dns requests and found the domain authenticator-rest-api.bnet-identity.blizzard.net that has an swagger ui: https://authenticator-rest-api.bnet-identity.blizzard.net/swagger-ui/
(Dont know why blizz has that documentation online because i don't think they want third party implementations)
https://authenticator-rest-api.bnet-identity.blizzard.net/v1/authenticator/device deviceSecret is the secret as hex.
Biggest issue is that you need an oauth 2.0 with a specific scope that probably not avail with this way: https://develop.battle.net/documentation/guides/using-oauth
alvinpeters
commented
1 year ago ix it possible to get that scope by snooping in the app binary or something?
mx03
commented
1 year ago The scope is auth.authenticator (you can see it on the swagger page if you press the authorize button), i dont have much time at the moment, so i don't look further into the oauth auth with this scope.
alvinpeters
commented
1 year ago Now this gets my interest. I'm writing a simple Rust binary for this. (i hate installing fuckloads of libraries lol) Hopefully done this weekend if I don't hit any roadblocks.
alvinpeters
commented
1 year ago Yup. Turns out you can't just ask for auth.authenticator scope and be granted that. I tried authenticating with various scopes plus that scope but turns out directly asking for auth.authenticator as some random app is just impossible, it gets silently blocked. I tried entering the access token into the authenticator swagger, no joy saying "must-revalidate" after trying out one of the urls.
This is what I got from redirecting to the swagger
auth error{"error":"invalid_client","error_description":"Unauthorized grant type: implicit","state":"random state token lol"We need another approach for this. Maybe even some gray area methods by trying to get the Battle.net app info. For now, I can try sniffing the REST GETs and POSTs of the app with wireshark androiddump and see if there's something that can be useful.
mx03
commented
1 year ago The api works with the extracted devicekey from the battlenet app. So yes thats the way it should work.
alvinpeters
commented
1 year ago The api works with the extracted devicekey from the battlenet app. So yes thats the way it should work.
@mx03 how do you extract the devicekey? and also we need a way to either distribute the key (kinda grey area legal) or provide a way for people to reliably extract the device key.
Once done, I can finish my implementation within a few days.
mx03
commented
1 year ago Sorry i meant the client id, its stored on a android device in this file under com.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_CLIENT_ID and is custom for every user /data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xml
<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
<map>
<string name="com.blizzard.messenger.AUTHENTICATOR_CREDENTIALS_ENCRYPTION_TYPE">AES</string>
<boolean name="com.blizzard.messenger.AUTHENTICATOR_SETUP_POSTPONE_LOGIN" value="false" />
<string name="com.blizzard.messenger.AUTHENTICATOR_RESTORE_CODE">Y</string>
<string name="com.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_CLIENT_ID">C</string>
<string name="com.blizzard.messenger.AUTHENTICATOR_DEVICE_SECRET">X </string>
<string name="com.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_HOST_URL">oauth.battle.net</string>
<string name="com.blizzard.messenger.AUTHENTICATOR_BGS_REGION_CODE">EU</string>
<string name="com.blizzard.messenger.AUTHENTICATOR_SERIAL">R</string>
<long name="com.blizzard.messenger.AUTHENTICATOR_SERVER_TIME_DIFF" value="0" />
</map>LOL IT FUCKING WORKED HAHAHAHAHA THANK YOU SO MUCH @mx03
Sadly that forces everyone to download the app and login once before getting the client ID. Are you actually sure about the client ID being per-user? I'm gonna test with different accounts later if you haven't tried that. And would non-rooted users be able to access that directory?
For those waiting for an app to automate these steps. (only slightly due to the way of getting the client ID/device secret) This is what I did:
/data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xml/data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xmlcom.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_CLIENT_IDbaedda12fe054e4abdfc3ad7bdea970aclient_id: ******deviceSecret and might as well save serial and restoreCode for backupecho "PASTEYOURDEVICESECRETHERE" | xxd -r -p | base32alvinpeters
commented
1 year ago Maybe there is an API that allows us to grab a custom per user client ID like the app but that's highly improbable.
mx03
commented
1 year ago As the app has certificate pinning i haven't the time for look into more details, but it shouldn't be hard to make an oauth auth like the app and get the client id.
alvinpeters
commented
1 year ago @mx03 does your client id start and end with 'b' and 'a' respectively? Because if so, the client ID is the same everywhere. I tried with two accounts and it is the same. Just wondering if it's also the same on all devices.
Just wondering because maybe we can just distribute the client ID since it's hard/impossible for people without rooted phones to get the client ID anyways.
mx03
commented
1 year ago @mx03 does your client id start and end with 'b' and 'a' respectively? Because if so, the client ID is the same everywhere. I tried with two accounts and it is the same. Just wondering if it's also the same on all devices.
Just wondering because maybe we can just distribute the client ID since it's hard/impossible for people without rooted phones to get the client ID anyways.
Yes start with b and ending with a. So it seems it is the same. Just thought about oauth and yes the client id is no secret https://www.oauth.com/oauth2-servers/client-registration/client-id-secret/ . Just half year ago i implemented oauth myself just forget the naming and the use of the clientid.
alvinpeters
commented
1 year ago Reckoned I'm backed into a corner on this one. The localhost redirects are not whitelisted for this client ID and only allows redirect to the Swagger UI (https://authenticator-rest-api.bnet-identity.blizzard.net/swagger-ui/oauth2-redirect.html) and probably the localhost address pointing to the messenger. I'm wondering how do Android apps implement OAuth2 with just a client ID then redirect to the device's web viewer/bowser? Snipping full HTTPS URLs is impossible so the only way to figure this out is by trying to reverse engineer it lol
So ye, it's kinda pointless even to make an app for this if you can't ask for an oauth2 token from the device with the client ID provided. I'm putting the client ID of the Battle.net Messenger baedda12fe054e4abdfc3ad7bdea970a so everyone can make use of it above
mx03
commented
1 year ago Yes this way probably only works with an electron app that can fetch the token from the returning url.
The android app itself does this login request https://account.battle.net/login?sdkVersion=masdk/7.2.1&code_verifier=[XXX]&deviceId=[XXX]&clientVersion=1.19.2.7&continuation-type=NATIVE_HANDOFF&flowTrackingId=[XXX]&app=BSAp&ca&ref=blizzard-social%3A%2F%2Flocalhost%3A0%2F but that url blizzard-social://localhost:0/ still dont work directly with the authenticator-rest api.
The response url is blizzard-social://localhost:0/?ST=[XXX]&STT=enc&accountId=[XXX]&flowTrackingId=[XXX]&flow_type=hard_account_login.
lightmaster
commented
1 year ago @striczkof Think the clientid might have changed, as I just tried this and get back 403: Forbidden..... The request requires higher privileges than provided by the access token. Gonna hunt down an old Android phone that's rooted so I can get the /data file to check the new clientid
alvinpeters
commented
1 year ago @striczkof Think the clientid might have changed, as I just tried this and get back
403: Forbidden..... The request requires higher privileges than provided by the access token. Gonna hunt down an old Android phone that's rooted so I can get the/datafile to check the new clientid
@lightmaster Did you tick the "auth.authenticator" scope before trying to login? think I might have forgotten to add that in instructions.
alvinpeters
commented
1 year ago @lightmaster Oh ye I did forget π
lightmaster
commented
1 year ago 90% sure I did, but I'll run it again to make sure
lightmaster
commented
1 year ago I was wrong, apparently I didn't tick that box. Got serial, restorecode, and secret back. Thx
BlastBolt5
commented
1 year ago @striczkof thank you so much for solving this, finally can have totp in bitwarden for blizzard
Drudoo
commented
1 year ago I did @striczkof described (using the above device ID) but whenever i try and attach the converted device secret to a password manager (tried 1password and MS Authenticator) i only get 6 digit codes, which are then not accepted by the BN client.
EDIT: Nevermind. I created the QR code wrong. Works in 1Password now.
TXort
commented
12 months ago I managed to get the AUTHENTICATOR_DEVICE_SECRET string from a rooted phone method, but I could not figure out what to do next and could not get it working by trial and error. For me AUTHENTICATOR_DEVICE_SECRET are 2 base64 strings separated by comma with length 64 and 24. What am I doing wrong?
vmoffset
commented
11 months ago I managed to get the AUTHENTICATOR_DEVICE_SECRET string from a rooted phone method, but I could not figure out what to do next and could not get it working by trial and error. For me AUTHENTICATOR_DEVICE_SECRET are 2 base64 strings separated by comma with length 64 and 24. What am I doing wrong?
Same here, the API method seems to be patched when going to the swagger-ui:
{"errorCode":"BLZBNTARA10000000","message":"An unknown server error occurred."}So the root method is the only option, I got the XML however its all bytes I believe after base64 decoding it. Hoping someone can figure this out, maybe @mx03
alvinpeters
commented
11 months ago I managed to get the AUTHENTICATOR_DEVICE_SECRET string from a rooted phone method, but I could not figure out what to do next and could not get it working by trial and error. For me AUTHENTICATOR_DEVICE_SECRET are 2 base64 strings separated by comma with length 64 and 24. What am I doing wrong?
Same here, the API method seems to be patched when going to the swagger-ui:
{"errorCode":"BLZBNTARA10000000","message":"An unknown server error occurred."}So the root method is the only option, I got the XML however its all bytes I believe after base64 decoding it. Hoping someone can figure this out, maybe @mx03
LOL
I thought the same too, but apparently, they did not get rid of it. They just changed the URL to https://authenticator-rest-api.bnet-identity.blizzard.net/webjars/swagger-ui/index.html (redirect from https://authenticator-rest-api.bnet-identity.blizzard.net/) and the client ID still works somehow. (tried getting my serial and restore and it works) Still invalid callback for localhost so can't make a client for this one :/
As for the device secret, they probably changed its format. I gotta check when I have free time.
ldehaas1612
commented
11 months ago LOL IT FUCKING WORKED HAHAHAHAHA THANK YOU SO MUCH @mx03
Sadly that forces everyone to download the app and login once before getting the client ID. Are you actually sure about the client ID being per-user? I'm gonna test with different accounts later if you haven't tried that. And would non-rooted users be able to access that directory?
For those waiting for an app to automate these steps. (only slightly due to the way of getting the client ID/device secret) This is what I did:
- Download the Battle.net Messenger
- Login to the app
- (This step might need root) Get the secret:
From the app
- Press "Enable now" when prompted to enable the authenticator
- Go to
/data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xml- Either copy the file to the PC or open it in the phone
- Save the content of the string tag named "com.blizzard.messenger.AUTHENTICATOR_DEVICE_SECRET"
From the REST API
- Go to
/data/data/com.blizzard.messenger/shared_prefs/com.blizzard.messenger.authenticator_preferences.xml- Either copy the file to the PC or open it in the phone
- Copy the content of the string tag named
com.blizzard.messenger.PREF_AUTHENTICATION_PROVIDER_CLIENT_ID- Go to https://authenticator-rest-api.bnet-identity.blizzard.net/webjars/swagger-ui/index.html
You can skip all the steps above with this client ID (as long as this doesn't get changed lol):
baedda12fe054e4abdfc3ad7bdea970a
- Make sure to tick the 'auth.authenticator' scope then click "Authorize," paste the acquired client ID to the client ID input then click "Authorize."
- Login if you are not logged in already. Either way, you should be redirected back and see the client ID input as just
client_id: ******- Click the "POST: Click and add a brand new authenticator..." header, click "Try it out," then "Execute."
- The response should be "200: OK" with a JSON output providing your device secret
- Save the value of
deviceSecretand might as well saveserialandrestoreCodefor backup
- Convert the device secret from hex to base32. On Linux and maybe macOS, this can be done with
echo "PASTEYOURDEVICESECRETHERE" | xxd -r -p | base32- Put the converted secret and set the digits to 8 on your authenticator of your choosing. I use Aegis and it works.
I just wanted to chip in and provide my 2 cents about this one. I followed above instructions and turns out you do not need to have the authenticator installed, do not have to use a special clientID. Just do the following to get 2fa secret:
baedda12fe054e4abdfc3ad7bdea970a
Make sure to tick the 'auth.authenticator' scope then click "Authorize," paste the acquired client ID to the client ID input then click "Authorize."client_id: ******deviceSecret and save serial and restoreCode as well for backup!!echo "PASTEYOURDEVICESECRETHERE" | xxd -r -p | base32As you can see, lots of overlap, but streamlined process. Hope this helps the next person! Thanks @mx03 and @striczkof!
alvinpeters
commented
11 months ago awesome. Much cleaner instructions are great for people!
oelna
commented
10 months ago This totally worked for me. Without ever installing the Authenticator app, I got the secret from the API, put it in the setup URL like so:
otpauth://totp/BattleNet:Battle.net?secret=<yoursecrethere>&digits=8
Worked in both 1Password, as well as iCloud Keychain Passwords.
stacksjb
commented
10 months ago YES! This is beautiful. I just added Battle.net to Authy! WHOOHOO! Now I can use it on all my devices since it is synch'd.
I followed the process above, a few comments on the process: 1) I first had to remove Authenticator, then authenticate through the API as shown above. I did NOT remove my mobile number, on my Authenticator device, so I had to do text message/email confirmation. 2) After first logging in, I immediately got a text message that said "Your account has been locked. Please visit Battle.net account/support to resolve". However, after then clicking the "Re-send" button to send the text message verification code, I received it and was able to login (and got the 200 response code.) (I now noticed I could have probably just un-checked "Require code every time I log in" to fix the frustrations that got me searching for this π but too late now).
3) After getting the secret back and converting to base32, I was able to successfully paste into the Authy "Add Account", where I then selected "8 digits", and confirmed it works successfully.
Questions: 1) I noticed I got an "EU" authenticator, not a "US" one - does that matter for anything? Does anyone know?
piec
commented
10 months ago Thanks guys, works for me too! :)
In my case the device secret field com.blizzard.messenger.authenticator_preferences.xml seemed encoded (and not stored in plain text). Could be due to a more recent version?
I used the API to register a new authenticator.
You can also display a QR Code from terminal using qrencode (worked for aegis):
deviceSecret=...
b32Secret=$(echo -n "$deviceSecret" | xxd -r -p | base32)
qrencode -t ansiutf8 <<< "otpauth://totp/Battle.net?secret=${b32Secret}&digits=8"
LostRuins
commented
9 months ago Worrying news ahead
Fma965
commented
9 months ago Worrying news ahead
Isn't this what these instructions are for? i remember it being much simpler previously so assumed this is the new method for the new authenticator, is this not the case?
Drudoo
commented
9 months ago Worrying news ahead
Isn't this what these instructions are for? i remember it being much simpler previously so assumed this is the new method for the new authenticator, is this not the case?
It looks like the email is only send to users of the old authentication method. I have two accounts, one using this method and one with the new bnet authenticator. I only got the email on the account using this method, which would indicate that it is the old authenticator method.
Fma965
commented
9 months ago Worrying news ahead
Isn't this what these instructions are for? i remember it being much simpler previously so assumed this is the new method for the new authenticator, is this not the case?
It looks like the email is only send to users of the old authentication method. I have two accounts, one using this method and one with the new bnet authenticator. I only got the email on the account using this method, which would indicate that it is the old authenticator method.
To clarify you have used the method mentioned here? https://github.com/jleclanche/python-bna/issues/38#issuecomment-1746656464 the last time i added 2FA to bitwarden was via WinAuth
It's not possible to use this method without a number linked to my account, working with support to get my number moved from some dodgy account, but i did have 2FA setup, so either they enforced needing a phone number linked or this method is different to the old method i used.
Drudoo
commented
9 months ago Worrying news ahead
Isn't this what these instructions are for? i remember it being much simpler previously so assumed this is the new method for the new authenticator, is this not the case?
It looks like the email is only send to users of the old authentication method. I have two accounts, one using this method and one with the new bnet authenticator. I only got the email on the account using this method, which would indicate that it is the old authenticator method.
To clarify you have used the method mentioned here? #38 (comment) the last time i added 2FA to bitwarden was via WinAuth
It's not possible to use this method without a number linked to my account, working with support to get my number moved from some dodgy account, but i did have 2FA setup, so either they enforced needing a phone number linked or this method is different to the old method i used.
Yes. That is the method I used. Currently I am using this with 1Password.
ldehaas1612
commented
9 months ago Worrying news ahead
Isn't this what these instructions are for? i remember it being much simpler previously so assumed this is the new method for the new authenticator, is this not the case?
It looks like the email is only send to users of the old authentication method. I have two accounts, one using this method and one with the new bnet authenticator. I only got the email on the account using this method, which would indicate that it is the old authenticator method.
To clarify you have used the method mentioned here? #38 (comment) the last time i added 2FA to bitwarden was via WinAuth It's not possible to use this method without a number linked to my account, working with support to get my number moved from some dodgy account, but i did have 2FA setup, so either they enforced needing a phone number linked or this method is different to the old method i used.
Yes. That is the method I used. Currently I am using this with 1Password.
Can you tell me where you went that you got this message? I logged in using this method just two days ago and didn't see anything.. Nothing in the mail and no way to trigger it.. I'm extremely curious to see where this message comes from
Fma965
commented
9 months ago Worrying news ahead
Isn't this what these instructions are for? i remember it being much simpler previously so assumed this is the new method for the new authenticator, is this not the case?
It looks like the email is only send to users of the old authentication method. I have two accounts, one using this method and one with the new bnet authenticator. I only got the email on the account using this method, which would indicate that it is the old authenticator method.
To clarify you have used the method mentioned here? #38 (comment) the last time i added 2FA to bitwarden was via WinAuth It's not possible to use this method without a number linked to my account, working with support to get my number moved from some dodgy account, but i did have 2FA setup, so either they enforced needing a phone number linked or this method is different to the old method i used.
Yes. That is the method I used. Currently I am using this with 1Password.
Can you tell me where you went that you got this message? I logged in using this method just two days ago and didn't see anything.. Nothing in the mail and no way to trigger it.. I'm extremely curious to see where this message comes from
The email was sent very recently, you may get one later, personally i'm not convinced this is for the new method though, this seems to be for those that were using the Battle.net Authenticator app.
For me i got the email 40 mins ago
Drudoo
commented
9 months ago This is an email from blizzard to my specific email that is only used with this bnet account. I received this email less than 24h ago.
My other bnet that uses regular βnewβ bnet authenticator did not receive this email.
stacksjb
commented
9 months ago I did not receive either email.
As you can see from the email, this is for the old AUthenticator app (i.e. https://play.google.com/store/apps/details?id=com.blizzard.bma&hl=en_US&gl=US) which is no longer used - it is replaced by the new Battle.net app (https://play.google.com/store/apps/details?id=com.blizzard.messenger&hl=en_US&gl=US)
It has nothing to do with your authentication method, rather the app you are using.
enticedwanderer
commented
9 months ago Yeah I got that email too and I was using Battle.net Authenticator App at some point but then migrated to Bitwarden/Aegis.
The real question is if you associate a new authenticator against the new endpoints backing the new mobile app (or restore the existing authenticator into it), will they still strip it come Jan 6th? I can see this happening for 2 reasons:
I have simply restored my existing authenticator following the procedure above, but as far as I can see, there is no way to verify after doing this we still won't get the authenticator stripped.
oelna
commented
9 months ago It was fun while it lasted. Thanks Obama!
Fma965
commented
9 months ago Yeah I got that email too and I was using Battle.net Authenticator App at some point but then migrated to Bitwarden/Aegis.
The real question is if you associate a new authenticator against the new endpoints backing the new mobile app (or restore the existing authenticator into it), will they still strip it come Dec 5th? I can see this happening for 2 reasons:
- The official app registers you somewhere else as having done the migration, and the procedure above doesn't do that.
- You still have the authenticator on the legacy endpoint active.
I have simply restored my existing authenticator following the procedure above, but as far as I can see, there is no way to verify after doing this we still won't get the authenticator stripped.
I reckon it will be fine, activision/blizzard aren't the smartest when it comes to security, no way they made a database to cross reference lol
I'm sure this is for the old authenticator app, the one that WinAuth and this project used to use etc.
It has nothing to do with your authentication method, rather the app you are using.
Well ofcourse it does, the different app uses a different authentication method, different api calls, different endpoint etc. People using Bitwarden etc have previously used WinAuth or this project to get the 2FA string, they then used the method mentioned a few comments up when Battlenet migrated, so presumably the new method (mentioned above) should work the same as the new app
LostRuins
commented
9 months ago I don't get it. Isn't the "new" authenticator some sort of push notification based thing? I see the play store screenshots showing an "Approve" and "Deny" buttons as well as the the login attempt timestamp, indicating it requires internet connectivity and is no longer TOTP based, hence Aegis will no longer work.
Did I get something wrong? Are we all doomed?
cont1nuity
commented
9 months ago It is both, similar to MS Authenticator. Push and manual generation (fallback) are available.
I am using the new bent authenticator after migrating a while back and recently extracted my secret using the REST API with the steps above. The POST can be used to retrieve your secret.
I have a feeling that re-registering the authenticator using the authenticator POST from the REST with the existing restore data might be enough to trigger the migration. But I cannot tell that for sure.
ps245
commented
9 months ago Yes this way probably only works with an electron app that can fetch the token from the returning url.
That's more a less how https://github.com/abrasive/mygov-totp-enroll works, which is used with the IBM enrollment API.
ps245
commented
9 months ago Are you actually sure about the client ID being per-user
It most certainly is the same:
public static final OAUTH_SERVICE_CLIENT_ID_PROD:Ljava/lang/String; = "baedda12fe054e4abdfc3ad7bdea970a"You're welcome.
ldehaas1612
commented
9 months ago So far I'm not worried that my account will be stripped from the 2FA. I have still not received any mails or messages from Battle.net. I did however give them my phonenumber a while back before generating the 2FA secret with their new api. But regardless, I strongly believe that the latest API way of adding the secret to your 2FA app of choice should work just fine even after January 5th. I'm feeling great about this! No need to worry, at least not on my end. I must admit, I never had their old app and did install the new app before just using the API key. So just to be sure, if you have gotten the email, I'd suggest to remove the 2FA completely and do a clean code generation using the steps here See you all on the other side after January 5th π
Is this project still supported? Not sure how much you can do if the battlenet endpoints got changed, but maybe someone has an idea.