A newly released tool claims it can bypass Discord’s age verification system by allowing users to control a 3D model of a computer-generated man in their browser instead of scanning their real face.
On Monday, Discord announced it was launching teen-by-default settings globally, meaning that more users may be required to verify their age by uploading an identity document or taking a selfie. Users responded with widespread criticism, with Discord then publishing an update saying, “You need to be an adult to access age-restricted experiences such as age-restricted servers and channels or to modify certain safety settings.”
The tool, however, shows those age verification checks may be bypassed. 404 Media previously reported kids said they were using photos of Trump and G-Man from Half Life to bypass the age verification software in the popular VR game Gorilla Tag. That game uses the service k–ID, which is the same as what Discord is using.
Discord’s announcement also comes after a recent catastrophic data breach impacted Discord user data, including selfies and identity documents uploaded as part of the app’s verification process.
The tool, simply called Discord ID Bypass Tool, runs in a user’s browser. After downloading and opening it, the tool displays a 3D model of a man. Users can then control the man’s head and mouth movements with their keyboard or a controller.
When verifying someone’s age, Discord asks them to turn on their camera, position their face in a circle on screen, and follow a series of commands. This is to ensure the person is real and not some static image.
“Tilt your head up,” “Close your mouth,” and “Turn your face right” are some examples.
The new tool appears to allow a user to do all of those things, but with the computer-generated persona instead. Github user and tool creator Promptpirate-x uploaded a demonstration video claiming to bypass the age verification check.
0:00
Image: 404 Media’s test of the software.
k-ID is an Andreessen Horowitz funded company that on its website says it is “founded by internationally renowned experts in online safety, privacy, and gaming.” It adds that the company’s technology “enables businesses to provide age-appropriate experiences that respect young users, satisfy regulatory requirements, and reduce the need for children to misrepresent themselves online.”
A k-ID spokesperson told 404 Media in an email “At present all of our monitoring shows systems are working as expected. We are watching very closely for any impact from bypass attempts.”
They said in another email “These are not ID checks and they are not identity verification of any kind. They are age estimations that run locally on a user’s device, as a proportionate way to balance privacy vs age-appropriate access. Reporting of these bypass attempts is helpful as it allows us to defend against them, which is a continuous process.”
Discord did not respond to a request for comment.
Discord’s age verification roll out comes as a host of other services respond to the UK’s law requiring the practice, and more than half of U.S. states passing laws requiring verification to access pornography sites.