TorinTurner
commented
4 years ago Also, feel free to DM me on Instagram @TorinTurner for a more one on one conversation that is private.
Closed TorinTurner closed 9 months ago
TorinTurner
commented
4 years ago Also, feel free to DM me on Instagram @TorinTurner for a more one on one conversation that is private.
realytcracker
commented
4 years ago awesome! there are actually a couple ways to positively address it and i wasn’t keen on weaponizing it myself - i expected more people to “figure it out” and use it as a lesson if they wanted to get it working, but you know how that goes. the program only serves one purpose (obviously nefarious), so i’ve been hesitant about personally patching it for people that are just looking for something plug and play. the semaphore method illustrated has also fallen out of favor and superseded by other idiomatic plays.
Sent from my iPhone
On Nov 19, 2019, at 3:33 PM, Torin Turner notifications@github.com wrote:
Also, feel free to DM me on Instagram @TorinTurner for a more one on one conversation that is private.
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
TorinTurner
commented
4 years ago Of course, who wouldn't be hesitant? Programs like this can never be good if used by the wrong people. Ruining the fun for us who have fun finding these security loopholes and workarounds. The method was simple and I was surprised by its simplicity and ability to work as fast as it did with the API. I think a possible way around this API rating would be to figure out max attempts in a set time then setting a pause for proxy rotate (which is still too slow for my liking.)
I also haven't tried this yet and doubt it would work but instead of going through every password on said account may be possible the API block doesn't trigger when it is a new username per attempt. So rotate through every username on the first password then so on.
I'll try this.
TorinTurner
commented
4 years ago The normal login site does not trigger the Captcha if the username is changed by a capital letter or vice versa per attempt, allowing more attempts. As well as new username attempts completely reset it.
realytcracker
commented
4 years ago i hit you on instagram btw
Re-wrote your program due to the EOF, I fixed it and never had the issue again. Now, there is a rate limit on the API. I've tested rotating proxies but it's just too slow and they don't connect fast enough after each password attempt. I was thinking Tor, but even then with new identities, those IP addresses will be API banned. This rate limit method from what I've observed through testing is x amount of passwords tried in x amount of time resulting in the block of sending API requests. And the API ban is not perm just temp, discovered while testing without my VPN accidentally.
Any ideas? I've had fun trying new ideas and such but am running dry.