• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

I Like Kill Nerds

The blog of Australian Front End / Aurelia Javascript Developer & brewing aficionado Dwayne Charrington // Aurelia.io Core Team member.

  • Home
  • Aurelia 2
  • Aurelia 1
  • About
  • Aurelia 2 Consulting/Freelance Work

I Joined Truth Social Using a VPN and Editing Some HTML to Bypass the Phone Verification

Technology · August 12, 2022

After being deplatformed a little while ago, Donald Trump created his Twitter clone, Truth Social. As you can imagine, Truth Social launched to about as much fanfare as a fart in an elevator. Still, my curiosity got the better of me.

For whatever reason, the site is currently restricted to Canada and the United States. And, it is worth pointing out that this restriction is Truth Social themselves restricting which countries can access the site. I am not sure what the reason is for restricting access. Seems ironic given it’s meant to be a Twitter-esque site for free speech.

Step one: operation geoblock

Step one was bypassing the geoblock using a VPN. To the credit of whoever built the site, I had to cycle through a couple of VPN regions in Private Internet Access before I found one that worked. The couple I tried gave me an access denied message, most likely a CDN block.

I doubt whoever built the site created their own geo detection and block functionality. You can achieve this using Amazon Cloudfront and other online services that make this kind of task trivial.

The registration process is rather convoluted. Once you enter your date of birth and email address, you are sent a verification email. Once you verify, you must go back to the homepage and click “Create an account” again to be presented with the next step.

Step two: operation text message bypass

Once you confirm your email address and go to the next step, you’re asked to enter your phone number.

The two options for country code are +1 and +44. I live in Australia, which is country code +61. Notably absent from the list.

My first thought was to try entering +61, followed by my phone number, into the field, which didn’t work.

So, the next thing I tried was editing the HTML of the page using Developer Tools. It’s rather simple, right-click the select input and click “Inspect element.”

As you can see, the values are numeric without the plus in front. So, I edited 1 to be 61 to match my country code. I then entered my mobile number and clicked next.

Once you edit the value, click off the value (select the other option) and then the one you selected. Otherwise, the change won’t be set and still be +1.

The phone number gets posted to this endpoint: https://truthsocial.com/api/v1/pepe/verify_sms/request

The value sent up is the country code with plus followed by your number. In my case (and this is not my real number), it sent up something like this:

{
    phone: "+61432123456"
}

Step three: profit???

I was able to register, even though I don’t live in Canada or the US. The title gives things away, but here is my verification text message. Easy peasy.

Whatever restriction they have on country and region appears superficial and easy to bypass. Not many would go to the effort to join Truth Social by editing HTML to bypass an SMS block. Maybe this is intentional?

The bigger question this raises is, what else are they not properly validating in their API? If I can get around their geoblock, even the text message part, were other shortcuts taken during the development of this site?

Oh, if you’re curious what Truth Social looks like:

It looks like someone took a design concept from Dribbble and turned it into a real site. Other than that, it’s a pretty Twitter-esque-looking social media platform. Perhaps most surprising was seeing real media outlets like Washington Examiner using the platform.

Bonus round: the old switcheroo

Then my curiosity went further. What would happen if I logged in and turned off my VPN?

Uh oh. The site goes into a death spiral, it seems. I get a tonne of, “The request was a legal request”, and the site gets confused.

Going back into Developer Tools paints a funny picture:

The site seems to know I am an authenticated user, so it keeps trying to request to load my timeline. But, looking at the payload, the response is the homepage with the denied message because the geoblock is kicking in.

Dwayne

Leave a Reply Cancel reply

11 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
kevmeister68
kevmeister68
5 months ago

Our comrades thank you for discovering this 😛

1
Val
Val
5 months ago

Bro I didn’t receive the SMS. What should I do?

9
Mark
Mark
5 months ago

“Bro I didn’t receive the SMS. What should I do?”

@Val: I used a free temporary and disposable phone number from “smsreceivefree” (Google it) and it worked perfect for me. Hope this helps.

1
Mike D
Mike D
4 months ago

Its now 6 months later.. And still have issues with VPN PIA.. dont seem to matter what geo region you select.. right here in the states.. they have a server in all 50 states.. and still getting the request errors.. i turn off vpn and it connects.. the min I enable it or connect to a server in the states, the errors start rolling.. unable to log if I close the browser or do any other troubleshooting.. Severely limits TRUTH time..

0
David B
David B
4 months ago

May I ask – who put the GEO code thingy in? Is it coming from TRUTHSocial itself, or from the Australian Communist regime?

2
Dwayne
Dwayne
Author
4 months ago

@David B

This is a geoblock on Truth Social itself. For whatever reason, they’re restricting which countries can access the site for whatever reason.

1
AYEBALE MARVIN JOHN
AYEBALE MARVIN JOHN
2 months ago

Help get me a free account there… I’m in Africa and want to see how it feels

0
Mps
Mps
2 months ago

Nice catch!

I’m from Holland and it doesn’t accept Dutch mobile numbers. I’m able to submit the form, but I just don’t receive a verification code by SMS…

0
S
S
2 months ago

@mark
“@Val: I used a free temporary and disposable phone number from “smsreceivefree” (Google it) and it worked perfect for me. Hope this helps.”

It won’t accept any of the numbers from any of those sites! 😩

0
S
S
2 months ago

Edit: I found a few numbers that it would accept but the verification codes never showed up. 😫

1
Migs
Migs
2 months ago

Unfortunately this doesn’t seem to work anymore. Text messages are either not sent or the service responds with:
{
“error”: “valid_phone_carrier”,
“message”: “Unable to proceed with the phone number”
}

0

Primary Sidebar

Popular

  • Testing Event Listeners In Jest (Without Using A Library)
  • How To Get The Hash of A File In Node.js
  • Thoughts on the Flipper Zero
  • Waiting for an Element to Exist With JavaScript
  • How To Paginate An Array In Javascript
  • How To Mock uuid In Jest
  • How To Get Last 4 Digits of A Credit Card Number in Javascript
  • How to Use Neural DSP Archetype Plugins With the Quad Cortex
  • NBN Box Installed Inside of Garage, Where Do You Put The Modem?
  • How To Decompile And Compile Android APK's On A Mac Using Apktool

Recent Comments

  • Kevmeister68 on Start-Ups and Companies That Embrace Work From Anywhere Will Be More Likely to Survive the Coming Recession in 2023
  • kevmeister68 on What Would Get People Back Into the Office?
  • Dwayne on PHP Will Not Die
  • Dwayne on How to Create a Blockchain With TypeScript
  • kevmeister68 on PHP Will Not Die

Copyright © 2023 · Dwayne Charrington · Log in

wpDiscuz