Signature token is not working

[hemu161]

It was working till February 12th.But today when I tried it its not working.Even the trending.py script is not working.Its just returning {'statusCode': 200, 'contentType': 'application/json', 'content': ''}

[kirik]

I also facing this issue.
I have dig a little into this problem, and found that sign function draw a canvas, then get it value with .toDataURL() method. It uses this value to generate signature as well.
Canvas library for jsdom does not help, because it generates wrong canvas value.
Now I'm trying to use puppeteer to get right value.

UPD: sing function somehow detects puppeteer environment, so generates wrong signature.

[muneeb331]

I am having the same issue. One thing is tiktok has changed their URL from
https://www.tiktok.com to
https://m.tiktok.com
and also added another paramter of
&lang in the url.

I think we need to get the new tac, waiting for the repo owner to reply. :/

[kirik]

@muneeb331 new tac didn't works for me.

[muneeb331]

may be they have changed the way its generated. Any clues which script to look for to generate it?

[kirik]

@muneeb331 take a look to page source for ">tac". Or just dump window.tac from browser's console.

[muneeb331]

that's will dump the tac which is then used to generate the signature. I am assuming they have changed something with the generation method.

[muneeb331]

@carcabot we need you sir :)

[tokjii]

Check this js file. I think it's somewhere in there. Check your network tab in dev tools to know what signature to look for and try to find the variable set in that script.

Currently trying to set breakpoints at different lines but I can't find anything.

[tokjii]

i() seems to split a string into an argument list

function i(e) {
    var t = _[245];
    for (var n in e)
        e[_[5]](n) && (t += f[_[414]](n) + _[232] + f[_[414]](e[n]) + _[397]);
    return t[_[231]] && (t = t[_[254]](0, t[_[231]] - 1)),
    t
}

i('string')
"0=s&1=t&2=r&3=i&4=n&5=g"

EDIT: That's about all I could find. Rest is a myth to me, sorry

[tokjii]

__NEXT_DATA__ is being referenced later as well and passes the tac

[muneeb331]

is it possible that the new tac is being used?

[tokjii]

What do you mean?

[muneeb331]

means the tac sent in the NEXTDATA response might be responsible for generating the new signature.

EDIT: ive tried it. Its not working.

[tokjii]

@mgp25 I don't know how your PHP repo works but if you could take a look at how we can get the signature now that would be amazing. I guess we could pool some beer money for you too

[carcabot]

I still investigate it, it seems that they added some extra security besides this.userAgent.

[muneeb331]

@carcabot that is what i was suspecting that they have changed the signature is being generated. Can you point out where to look ? I am going through their JS files.

[mgp25]

Hello, signature is used in TikTok web only (my repo uses android endpoints), it is a basic hashing algorithm the last time I saw it.

[muneeb331]

@mgp25 you are right but this repo is built on JS.

[muneeb331]

@carcabot any progress? I still cant get my head around what they have changed with their security.

[tokjii]

Hello, signature is used in TikTok web only (my repo uses android endpoints), it is a basic hashing algorithm the last time I saw it.

@mgp25
Yeah I thought that would be the case. Let us know if you're bored and want to take a look at it. I'm following you since ChatAPI, you're insane but in a good way lol

[tokjii]

means the tac sent in the NEXTDATA response might be responsible for generating the new signature.

EDIT: ive tried it. Its not working.

Just checked, window.tac and __next_data__..tac have a lot of differences. windowtac is much shorter but it might also be due to next_datatac having to be json compatible hence escaping some letters.

marked circle becomes: \uffee https://www.fileformat.info/info/unicode/char/ffee/index.htm
etc.
When I'm back I will escape them and check if they're the same.

[tokjii]

Let's move this to Discord, it's faster

https://discord.gg/HmYmtdX

[carcabot]

There's no time to waste decoding these strings, there are more changes than tac token. I switched back to puppeteer version, it's a little slower but works.

Let me know if someone tested this version and confirms that it's working.

Greetings.

[muneeb331]

There's no time to waste decoding these strings, there are more changes than tac token. I switched back to puppeteer version, it's a little slower but works.

Let me know if someone tested this version and confirms that it's working.

Greetings.

@carcabot The older version is not working, Ive opened a separate issue for that version.

[p4rnicke]

Your sample/test code in the readme is confusing me. (Most of us is interested in the video feed of a specific user.)
Questions:

• Why type=5 is used?
• In the test code your referrer url is a specific video link, not the link of the user. Why? How can I know the url of a specific video before getting the list of the video?

[hemu161]

The new update is working fine

[carcabot]

Your sample/test code in the readme is confusing me. (Most of us is interested in the video feed of a specific user.)
Questions:

• Why type=5 is used?
• In the test code your referrer url is a specific video link, not the link of the user. Why? How can I know the url of a specific video before getting the list of the video?

In Sample code from README it is used as an example, trending list service url (https://www.tiktok.com/trending), i don't know the meaning of type=5.

The referer is user just to look a real request.

If you want to list videos for a single user you have to use something like this:

https://m.tiktok.com/share/item/list?secUid=&id=7708376&type=1&count=30&minCursor=0&maxCursor=1577254765000&shareUid=&lang=

You can find these urls in Chrome inspect element -> Network tab.

This repo is just for generating signature.

Greetings.

[p4rnicke]

Ok thanks for clarifying.
I can also confirm that I could switch to the puppeteer version, it is working.