megadose/holehe

Snapchat python module always returns rateLimit: True

bhardy0630 opened this issue · 0 comments

bhardy0630 commented

Describe the bug:

Holehe Snapchat module as used in README.md "Python Example" header yields Exception:

IndexError: list index out of range
Traceback:

Traceback (most recent call last):
  File "W:\Development\Python\(MyProject)\(MyModule).py", line 21, in <module>
    trio.run(main)
  File "W:\Development\Python\venv\(MyProject)\Lib\site-packages\trio\_core\_run.py", line 2010, in run
    raise runner.main_task_outcome.error
  File "W:\Development\Python\(MyProject)\(MyModule).py", line 16, in main
    await snapchat(email, client, out)
  File "W:\Development\Python\venv\(MyProject)\Lib\site-packages\holehe\modules\social_media\snapchat.py", line 12, in snapchat
    xsrf = req.text.split('data-xsrf="')[1].split('"')[0]
           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range

To Reproduce
Steps to reproduce the behavior:

  1. Call snapchat module (done exactly via example Python code in README.md)
  2. Receive IndexError Exception
  3. To resolve, modify Snapchat module to use new snapchat authpage URL ( See Context section below )
  4. Verify field 'data-xsrf=' is being scraped properly on new login page
  5. rateLimit always returns True

Expected behavior
Module output rateLimit field to properly show false when not actually ratelimited

Environment:

  • OS: [Windows 10 x64]
  • Python Version: Tested module on Python 3.8/3.11
  • Holehe installed via pip3 on both versions

Additional context

After some quick investigation, the initial exception issue seems to be related to a move or change in the page Snapchat is using for their login portal:

Previous URL (in holehe module): https://accounts.snapchat.com (HTTP status 302 found)
Current URL (tested working): https://accounts.snapchat.com/accounts/login (HTTP status 200 OK)

Simply changing the URL in the module (line 11) resolves the Index Error exception and grabs data-xsrf field, however it seems to probably go a little deeper than that, since the subsequent output seems to call the exception handler in the module (line 44).

Subsequent output:

[{'name': 'snapchat', 'domain': 'snapchat.com', 'method': 'login', 'frequent_rate_limit': False, 'rateLimit': True, 'exists': False, 'emailrecovery': None, 'phoneNumber': None, 'others': None}]

It would seem unlikely to be an actual ratelimit, as I have tried this both over VPN (a few locations) and home connection with same result.

This is speculation, but using browser dev tools to inspect snapchat's new login URL shows a new hidden input field under the xsrf-token field named "arkose-token" along with a "data-use-arkose="true" field in the same pusher div as data-xsrf="$token".

Arkose Labs appears to be a company that provides "Bot Prevention" services (ref: https://www.arkoselabs.com/)

This is my first bug report - I wanted to be thorough - apologies if it's a little verbose!