alt Hacker NewsDiscord/Twitch/Snapchat age verification bypass
Comments
Worth noting the irony cycle: Discord's October 2025 breach leaked ~70,000 government IDs from their support vendor 5CA, which pushed them toward "privacy-preserving" on-device face estimation via k-ID. But the privacy-preserving design (run the model locally, only send metadata) is exactly what makes it trivially spoofable. The encryption is solid (AES-GCM with HKDF-derived keys) but it protects transport integrity, not input authenticity.
So they moved away from collecting IDs because collecting IDs is a liability, and moved toward a system that's bypassable because it doesn't collect enough to verify. This isn't solvable without hardware attestation (App Attest, Play Integrity), which kills the browser flow and still doesn't prevent pointing the camera at a screen.
Age verification as a concept requires either trusting the client (spoofable), collecting sensitive data (breach liability), or binding to attested hardware (excludes platforms and users). Pick your poison. Every vendor in this space is just choosing which failure mode they prefer.
The real and robust method will be generating artificial video input instead of the real webcam. I really don’t think any platform will be able to counter this. If they start requiring to use a phone with harder to spoof camera input, you will simply be able to put the camera in front of a high resolution screen. The cat and mouse game will not last long.
Worth noting when you open up the developer tools console in discord (facebook and some other sites do it too), you get a regular message printed with "If someone told you to copy/paste something here, there’s an 11/10 chance you’re being scammed." and then "Pasting anything in here could give attackers access to your Discord account." in bold+red text. It used to also mention "free nitro" as an example of a scam you may be falling for.
I've heard, but haven't confirmed, they also detect you opening developer tools using various methods and remove your auth keys from localstorage while you have it open to make account takeovers harder. (but not impossible)
Opening the browser console in a separate window mitigates some of that detection.
Hm, when attempting it I get redirected to https://age-verifier.kibty.town/webview?url=null, which says:
{"error":"error parsing webview url"}
Edit: Apparently my discord account is in some kind of A/B feature test that uses a different verification provider, Persona
Three problems with this:
1. Removes the pain of age verification, encouraging some people to stay in the proprietary walled garden when everyone would be better served by open platforms (and network effects).
2. Provides a pretext for more invasive age verification and identification, because "the privacy-respecting way is too easily circumvented".
3. Encourages people to run arbitrary code from a random Web site in connection with their accounts, which is bad practice, even if this one isn't malware and is fully secure.
Well, it’s a clever idea. Discord seems to have intentionally softened its age-verification steps so it can tell regulators, “we’re doing something to protect children,” while still leaving enough wiggle room that technically savvy users can work around it.
But in practice, this only holds if regulators are either inattentive or satisfied with checkbox compliance. If a government is competent and motivated, this approach won’t hold up—and it may even antagonize regulators by looking like bad-faith compliance.
I’ve also heard that some governments are already pushing for much stricter age-verification protocols, precisely because people can bypass weaker checks—for example, by using a webcam with partial face covering to confuse ID/face matching. I can’t name specific vendors, but some providers are responding by deploying stronger liveness checks that are significantly harder to game. And many services are moving age verification into mobile apps, where simple JavaScript-based tricks are less likely to work.
Highly recommend wrapping the code to drop into the console in a immediately-invoked function expression; as it stands, it doesn't work in macOS Safari without an IIFE because top-level await is not supported in any version of Safari yet https://caniuse.com/wf-top-level-await.
It does appear to work. I received a message from Discord saying "We determined you're in the adult group. <learn more>"
narrator> And that's when he discovers his account has now been hacked...
;)
I don't understand why (mostly) young people put so much effort into remaining customers of a service that is actively hostile against them and that they do not like. Does the convenience of remaining on a service you don't like the management of outweigh the mild effort to find an alternative solution?
I pray the status quo is good enough for legal requirements and the hacks like these don't mean the end of on-device verification (or the requirement of chain of trust from boot)
Looks like it may already have been patched, it's not working for me.
Seems I'm not the only one either: https://github.com/xyzeva/k-id-age-verifier/issues/7
I suspected something along these lines was possible when I looked at this provider a couple months ago.
If I recall, I had a fairly decent view of their various checks because it was delivered completely unminified, including a couple amusing sections and unimplemented features. (A gesture detector with the middle finger gesture in the enumerable commented out, for example...)
Another attack vector that I speculated upon was intercepting and replacing their tflite model with ones own, returning whatever results required.
Additionally, I believe they had a check for virtual camera names in place, as checks would quietly fail with a generic message in the interface, but show the reason as being virtual camera within responses. (Camera names are mutable though, so...)
the cat-and-mouse game of digital age verification is such a massive compliance headache. if these guards are this easy to bypass the platforms are basically just checking a box to satisfy regulators while leaving the actual liability wide open. it’s hard to underwrite trust when the verification layer is this brittle.
On Discord, I got the captcha, but then after it redirected, I got a page saying:
{"error":"failed to execute k-id privately action (status=404)"}
It worked for me (I got the green success message) however I did not get a confirmation DM from the "official Discord account" like others said they did.
Anyone got a clue what that means?
UK user here, it still shows my account as Unverified after running :(
Wow that was a fun read, I never thought about the technical implementation of these verification systems.
Recent and related:
Discord will require a face scan or ID for full access next month - https://news.ycombinator.com/item?id=46945663 - Feb 2026 (1999 comments)
Discord Alternatives, Ranked - https://news.ycombinator.com/item?id=46949564 - Feb 2026 (456 comments)
Discord faces backlash over age checks after data breach exposed 70k IDs - https://news.ycombinator.com/item?id=46951999 - Feb 2026 (21 comments)
Doesn't appear to be working, at least for UK purposes. Tool claimed to have worked, I dropped my VPN and my account is not age verified.
Why people act like this never has been implemented like the gigs and financial apps already validate indetity
This project is something that we would want to archive pretty quickly. I can see those service being upset over that being exposed.
I'm against workarounds. I'm pro "leaving them and only come back when Digital ID is not required anymore".
That code snippet for Discord is pretty brittle and will likely break with future updates.
Never trust user input wins again... on one hand, discord never sees your picture, on the other, you get this. :)
Your browser is not currently supported. Please use a recommended browser or learn more here.
Apparently Twitch doesn't like Mozilla Firefox...
Alright, how long until they patch this? Anyone takin' bets?
With the way things are going, just go back to email.
CC everyone.
That worked for me. Got a response on desktop discord client once it was done. Wonder how long before they lock this down.
Any chance this can be used to token-log people's accounts?
The comments so far assume that Discord / Twitch / Snapchat don't care as entities that people will start bypassing their age verification systems. I believe the rank-and-file think that's the case. I think even the engineers and PMs think that's the case. But that's not the game.
There are many ways in which such a system could be implemented. They could have asked people to use a credit card. Adult entertainment services have been using this as a way to do tacit age verification for a very long time now. Or, they could have made a new zero-knowledge proof system. Or, ideally, they could have told the authorities to get bent.
Tech is hardly the first industry to face significant (justifiable or unjustifiable) government backlash. I am hesitant to use them as examples as they're a net harm, whereas this is about preventing a societal net harm, but the fossil fuel and tobacco industries fought their governments for decades and straight up changed the political system to suit them.
FAANG are richer than they ever were. Even Discord can raise more and deploy more capital than most of the tobacco industry at the time. It's also a righteous cause. A cause most people can get behind (see: privacy as a selling point for Apple and the backlash to Ring). But they're not fighting this. They're leaning into it.
Let's take a look at what they're asking from people for a second, the face scan,
If you choose Facial Age Estimation, you’ll be prompted to record a short video selfie of your face. The Facial Age Estimation technology runs entirely on your device in real time when you are performing the verification. That means that facial scans never leave your device, and Discord and vendors never receive it. We only get your age group.
k-id, the age verification provider discord uses doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details.
Discord is also doing profiling along vectors (presumably behavioral and demographic features) which the author describes as,
after some trial and error, we narrowed the checked part to the prediction arrays, which are outputs, primaryOutputs and raws.
turns out, both outputs and primaryOutputs are generated from raws. basically, the raw numbers are mapped to age outputs, and then the outliers get removed with z-score (once for primaryOutputs and twice for outputs).
Is some or all of this data being turned into features that are being fed to this third-party k-ID? https://www.k-id.com/
https://www.forbes.com/sites/mattgardner1/2024/06/25/k-id-cl...
https://www.techinasia.com/a16z-lightspeed-bet-singapore-par...
k-ID is (at first glance) extracting fairly similar data from Snapchat, Twitch etc. With ID documents added into the mix, this certainly seems like a very interesting global profiling dataset backstopped with government documentation as ground truth. :)
too late: I have already deleted my Discord account; Twitch is also going to enforce this? hmmm...
Worked, hopefully Discord will retroactively discover this and ban my account.
Is this not easily patched by the provider encrypting and signing the whole payload? I would have thought that would be table stakes for an identity provider.
That was fast.
Age verification itself isn't such a bad thing. I feel most people are more angry about having to verify their actual identity. Every ad provider knows your address and complete identity every time you log into anything though. I guess its the illusion of anonymity that's so popular.
Neat that this exists, but priming children to copy/paste random JavaScript into their Dev consoles feels like a recipe for disaster. Bets on how long before malware starts buying up "discord age verification bypass" ad spots?
[dead]
[dead]
[dead]
"k-id, the age verification provider discord uses doesn't store or send your face to the server. instead, it sends a bunch of metadata about your face and general process details."
I think the primary issue is not the "send your face" (face info) to a server. The problem is that private entities are greedy for user data, in this case tying facial recognition to activities related to interacting with other people, most of them probably real people. So this creates a huge database - it is no surprise that greedy state actors and private companies want that data. You can use it for many things, including targeted ads.
For me the "must verify" is clearly a lie. They can make it "sound logical" but that does not convince me in the slightest. Back in the age of IRC (I started with mIRC in the 1990s, when I was using windows still), the thought of requiring others to show their faces never occurred to me at all. There were eventually video-related formats but to me it felt largely unnecessary for the most part. Discord is (again to me) nothing but a fancier IRC variant that is controlled by a private (and evidently greedy) actor.
So while it is good to have the information how to bypass anything there, my biggest gripe is that people should not think about it in this way. Meaning, bypassing is not what I would do in this case; I would simply abandon the private platform altogether. People made Discord big; people should make Discord small again if they sniff after them.