-
Notifications
You must be signed in to change notification settings - Fork 491
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a mention of fraudulent deception of testers #805
Comments
Code is minified and obfuscated, so not so easy to debug, but I managed to get some info; Current script url: https://acsbapp.com/apps/app/dist/js/app.js Code checking for "wave.webaim.org"
It seems like image https://acsbapp.com/apps/app/dist/media/whl.jpg is injected But nevertheless I think they are manipulating the Wave extension in some way but they do not manage to trick the wave.webaim.org contrast checks, at least based on my quick tests;
So we can maybe conclude that this is not only suspicious but that there are some mechanisms that try to manipulate Wave. Somebody more proficient in de-obfuscating can for sure find even more info... |
This can be deobfuscated more, but is this legal? I guess the JS is technically publically available but I'm not that familiar with the law surrounding this. That being said, the obfuscation here isn't great and it's straightforward to crack most of As a side note, I would be curious if there are other kinds of tampering going on here with other tools. I'll probably look into it for my own personal curiosity but I probably wouldn't talk about that publicly out of fear of legal risk. Edit: Removed my r/iamverysmart vibes. |
I looked into this in 2020 and there was tampering. I have the breakdown, but I am concerned to share now you mention legality. |
You can use this bookmarklet to prove the theory of tampering and without revealing the unobscured code: https://codepen.io/anevins12/pen/mdVOROb |
It has been alleged that accessiBe detects the use of WAVE and then fraudulently inserts code specifically to make the page appear to "pass" the WAVE test.
https://twitter.com/jared_w_smith/status/1421138925637181440
Indeed, there are references to
wave
throughout accessiBe's JS payload, though at the moment I'm not sure what they do. There's also a reference towave.webaim.org
in the code. That said, I think we'll need more details before something can be written about this.The text was updated successfully, but these errors were encountered: