fix: add Netflix to LOUD_MODULES (sends verification code to target)#262
Conversation
The Netflix module (CLCSWebInitSignup GraphQL mutation) triggers a real verification code sent to the scanned email address. This notifies the target, so Netflix should be skipped by default like other loud modules. Discovered during testing: each scan triggered an unsolicited Netflix verification code to the target email.
VamatoHD
left a comment
VamatoHD
left a comment
There was a problem hiding this comment.
I have tested this with a used email and did in fact receive an unwanted email.
- Switch to LOGIN node to reduce target notifications - Fix locale from en-IN to en-US for global compatibility - Fix session URL from netflix.com/in/ to netflix.com/ - Simplify detection to single reliable marker - Add GraphQL error guard to prevent false negatives - Increase timeout from 5s to 10s
|
Added a second commit that fixes the Netflix module itself:
Ready for review. |
| if '"errors"' in resp_text: | ||
| return Result.error("GraphQL error, report it via GitHub issues") | ||
|
|
||
| return Result.available(url=show_url) |
There was a problem hiding this comment.
I tested it with a registered email address, but it reports the email as not registered. That means the string already have an account you’re expecting in response.text for registered emails isn’t consistently present.
Also, returning Result.available() for all other cases isn’t ideal, it makes the module prone to false negatives.
Try identifying two distinct and reliable keywords in the response body: one that clearly indicates a registered email and another that indicates a non-registered email. Then base the logic strictly on those conditions instead of assuming the fallback case.
kaifcodec
closed this pull request by merging all changes
into
kaifcodec:main
in
5997af2
3 participants
Summary
netflixto theLOUD_MODULES["email"]list inhelpers.pyCLCSWebInitSignupGraphQL mutation that triggers a real verification code sent to the scanned email addressHow it was discovered
During testing, each scan triggered an unsolicited Netflix verification code to the target email. The module should be skipped by default (like
instagram,leetcode,polarsteps, etc.) and only run when--allow-loudis explicitly passed.Test plan
user-scanner -e test@example.com→ Netflix shows[~] Skippeduser-scanner -e test@example.com --allow-loud→ Netflix runs normallyuser-scanner -e test@example.com -m netflix→ Netflix runs (specific module mode)