Login requires captcha inspite of using MFA #101
Comments
|
Amazon decides when they want to get presented which security measure. They got very strict with this in the last time. I would have no idea what the script can do against that ... |
|
Hi, i have got the same problem. Maybe someone find a solution. Thanks a lot. Cu kami |
|
I had the same issue. It's not perfect, but you can make it work with the cookie approach from : #10 (comment) |
|
Hi, thanks a lot. I have seen this, but you have to renew it on your own every 14 days. Or? BG kami |
|
Yes, as cookies have an expiration date. I'm doing the same right now but it's a major inconvenience TBH :( Does anything (except the effort) prevent a script from extracting the captcha, showing its uri in the terminal for copy/paste purposes and entering the captcha's solution in the terminal again to submit it? Granted it's a simple alphanumerical capture. I might be able to code this but if anyone already tried it and failed for an obvious reason, I'd like to know. |
|
@dnlm what's weird is that you don't get asked for a captcha when you use a browser with JS disabled. Maybe creating a new MFA token would somehow reset your "bad-login" count with Amazon as well. Regarding the captcha - I tried extracting using imageMagick and tesseract. none of the results had been fruitful though :( |
Gonna try that
I already did that but Amazon supplied the same code for generating OTPs so it was useless.
My idea was to extract the captcha image url, print it in the shell and wait for solved captcha user input. Copy, paste in browser and enter captcha solution manually, no image manipulation needed. Or did I misunderstand you? |
|
@dnlm I actually tried solving the captcha by using tesseract - and failed miserably ::( I didn't think about solving the captcha manually. The thing is the captcha is autocreated, you can only download it once. Also, it's a little besides the point of the script. |
|
@adn77 Maybe it was a misconception on my part but I hoped that solving it once on that machine might unlock captchaless logins in the future. For me at least it worked flawlessly until a forced password change which I thought might have triggered a "enter captcha once so we can be sure everything is alright"-mechanic. Still got to try adjusting the user-agent, will do now and report. |
|
GREAT SUCCESS!!!11 👍 @kami83 @adn77 @matthewbarr Changing the user agent sadly didn't work but I tried chromium (js disabled globally) via xming again and got the captcha request. Solved it, logged out, deleted cookies (obviously very important) and logged back in. Again, captcha reappears. Solved it, repeated log out/cookie delete etc and eventually after some tries I wasn't asked for captchas anymore. After logging in 2 times without a captcha request I tried alexa-remote-control on the command line and got logged in immediately. I hope the captcha flag got removed from my account (?) now. If it fails again, I'll report immediately but for now I'll call it solved. I'm pretty sure it only needed 2 or 3 tries but I mistyped my password on 2 occasions in the process before switching to copy/paste from the password manager 😛 Also I'm not really sure if using the browser on the same physical machine really is necessary, when I first got the captcha on the pi I tried no-js incognito on my local windows pc and also got the captcha request. But I didn't want to take any chances (regretting it now) and suffered through the painfully slow chromium on my zero w. I hope this is a permanent solution and might help other people with the same problem. |
|
Hi, thanks a lot. Works for me, too. Cu kami |
|
It failed to login again on its own after the cookie expired. Sadly this means I'll be giving up on this :( really liked the cli approach, bummer |
|
Started working again after about 14 days without any action on my side, will keep reporting if anyone is really interested. |
Hello, Thanks! |
|
@dcaccount use this extension: https://chrome.google.com/webstore/detail/get-cookiestxt/bgaddhkoddajcdgocldbbfleckgcbcid And follow this short how-to: #10 (comment) (or the one 4 comments below) |
Thanks, I have installed the extension and downloaded but I have a list of cookies in the downloaded txt file. What one shall I take? I was looking for a cookie starting with:
Please note that before running the script, I deleted all previous cookies. On the contrary, if I log in in incognito mode, the extension does not find any cookie. Thanks for helping, |
IIRC I just pasted the whole file into /tmp/.alexa.cookie and it worked (for a week or two) |
Thanks! |
|
check out the latest feature which doesn't rely on username/password/mfa but uses the refresh_token returned by proper device registration: https://github.com/adn77/alexa-cookie-cli or more on my blog: https://blog.loetzimmer.de/2021/09/alexa-remote-control-shell-script.html |
|
@adn77 Will try that ASAP, thank you very much for commenting here! |
Hello, I would like to use alexa_remote_control.sh in a Rpi4 working in headless mode. How can I get the token? Please help! I generated the token in another workstation but when I run alexa_remote_control I get the error:
I managed to generate the token from within the same station where the script alexa_remote_control.sh should work but I always get
Can you please help? Thanks a lot, |
|
You shouldn't cross-post excessively :D Well, you already figured out how to run the alexa-cookie-cli on another workstation. The problem that remains is retrieving the CSRF. |
You are correct but I realised the issue step by step
I am running Raspian Buster Lite. |
|
Try If that's the case, please checkout the latest version, I made a slight change to the "grep" commands. |
It works, it is awesome! Thanks a lot. |
Amazon for some reason forced me to change my password and I forgot to set the new password in the script's config. When I noticed that it stopped working I set the new password in the config, ran the script again and it said "login failed, check /tmp/.alexa.login".
This file looks like amazon wants me to enter a captcha, although I'm using MFA. The Password and MFA_Secret set in the config are correct (I logged in with a browser using the generated OTP from oathtool). When I try to log in with a browser (Chromium & Firefox) with JS disabled from the same machine using XMING (it's a raspberry pi zero w/o GUI) no captcha is required.
Logging in via Browser, extracting the cookie and manually saving it to /tmp/.alexa.cookie works but obviously only until the cookie expires. I'd really like to be able to log in automatically again, is there anything else I could try?
The text was updated successfully, but these errors were encountered: