LightZirconite/Microsoft-Rewards-Script
1
0
Fork 0
mirror of https://github.com/TheNetsky/Microsoft-Rewards-Script.git synced 2026-01-13 11:47:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
554227e200e408c8b9e574604b4d5228c8ba36dd
Microsoft-Rewards-Script/docs/security.md
Light 15f62963f8 V2 (#365) 
* first commit

* Addition of a personalized activity manager and refactoring of the logic of activities

* Adding diagnostics management, including screenshot and HTML content, as well as improvements to humanize page interactions and +.

* Adding the management of newspapers and webhook settings, including filtering messages and improving the structure of the summaries sent.

* Adding a post-execution auto-date functionality, including options to update via Git and Docker, as well as a new configuration interface to manage these parameters.

* Adding accounts in Docker, with options to use an environmental file or online JSON data, as well as minimum validations for responsible accounts.

* Improving the Microsoft Rewards script display with a new headband and better log management, including colors and improved formatting for the console.

* v2

* Refactor ESLint configuration and scripts for improved TypeScript support and project structure

* Addition of the detection of suspended accounts with the gesture of the improved errors and journalization of banishment reasons

* Adding an integrated planner for programmed task execution, with configuration in Config.json and +

* Edit

* Remove texte

* Updating of documentation and adding the management of humanization in the configuration and +.

* Adding manual purchase method allowing users to spend points without automation, with monitoring of expenses and notifications.

* Correction of documentation and improvement of configuration management for manual purchase mode, adding complete documentation and appropriate banner display.

* Add comprehensive documentation for job state persistence, NTFY notifications, proxy configuration, scheduling, and auto-update features

- Introduced job state persistence documentation to track progress and resume tasks.
- Added NTFY push notifications integration guide for real-time alerts.
- Documented proxy configuration options for enhanced privacy and network management.
- Included scheduling configuration for automated script execution.
- Implemented auto-update configuration to keep installations current with Git and Docker options.

* Ajout d'Unt Système de Rapport d'Erreurs Communautaire pour Améliorerer le Débogage, incluant la Configuration et l'Envoi de Résumés D'Erreurs Anonyés à un webhook Discord.

* Mini Edit

* Mise à Jour du Readme.md pour Améliorerer la Présentation et La Claté, Ajout d'Un section sur les notifications en Temps Raine et Mise à Jour des badges pour la meille unibilité.

* Documentation update

* Edit README.md

* Edit

* Update README with legacy version link

* Improvement of location data management and webhooks, adding configurations normalization

* Force update for PR

* Improvement of documentation and configuration options for Cron integration and Docker use

* Improvement of planning documentation and adding a multi-pan-pancake in the daily execution script

* Deletion of the CommunityReport functionality in accordance with the project policy

* Addition of randomization of start -up schedules and surveillance time for planner executions

* Refactor Docker setup to use built-in scheduler, removing cron dependencies and simplifying configuration options

* Adding TOTP support for authentication, update of interfaces and configuration files to include Totp secret, and automatic generation of the Totp code when connecting.

* Fix [LOGIN-NO-PROMPT] No dialogs (xX)

* Reset the Totp field for email_1 in the accounts.example.json file

* Reset the Totp field for email_1 in the Readme.md file

* Improvement of Bing Research: Use of the 'Attacked' method for the research field, management of overlays and adding direct navigation in the event of entry failure.

* Adding a complete security policy, including directives on vulnerability management, coordinated disclosure and user security advice.

* Remove advanced environment variables section from README

* Configuration and dockerfile update: Passage to Node 22, addition of management of the purchase method, deletion of obsolete scripts

* Correction of the order of the sections in the Readme.md for better readability

* Update of Readm and Security Policy: Addition of the method of purchase and clarification of security and confidentiality practices.

* Improvement of the readability of the Readm and deletion of the mention of reporting of vulnerabilities in the security document.

* Addition of humanization management and adaptive throttling to simulate more human behavior in bot activities.

* Addition of humanization management: activation/deactivation of human gestures, configuration update and adding documentation on human mode.

* Deletion of community error report functionality to respect the privacy policy

* Addition of immediate banning alerts and vacation configuration in the Microsoft Rewards bot

* Addition of immediate banning alerts and vacation configuration in the Microsoft Rewards bot

* Added scheduling support: support for 12h and 24h formats, added options for time zone, and immediate execution on startup.

* Added window size normalization and page rendering to fit typical screens, with injected CSS styles to prevent excessive zooming.

* Added security incident management: detection of hidden recovery emails, automation blocking, and global alerts. Updated configuration files and interfaces to include recovery emails. Improved security incident documentation.

* Refactor incident alert handling: unified alert sender

* s

* Added security incident management: detect recovery email inconsistencies and send unified alerts. Implemented helper methods to manage alerts and compromised modes.

* Added heartbeat management for the scheduler: integrated a heartbeat file to report liveliness and adjusted the watchdog configuration to account for heartbeat updates.

* Edit webook

* Updated security alert management: fixed the recovery email hidden in the documentation and enabled the conclusion webhook for notifications.

* Improved security alert handling: added structured sending to webhooks for better visibility and updated callback interval in compromised mode.

* Edit conf

* Improved dependency installation: Added the --ignore-scripts option for npm ci and npm install. Updated comments in compose.yaml for clarity.

* Refactor documentation structure and enhance logging:
- Moved documentation files from 'information' to 'docs' directory for better organization.
- Added live logging configuration to support webhook logs with email redaction.
- Updated file paths in configuration and loading functions to accommodate new structure.
- Adjusted scheduler behavior to prevent immediate runs unless explicitly set.
- Improved error handling for account and config file loading.
- Enhanced security incident documentation with detailed recovery steps.

* Fix docs

* Remove outdated documentation on NTFY, Proxy, Scheduling, Security, and Auto-Update configurations; update Browser class to prioritize headless mode based on environment variable.

* Addition of documentation for account management and Totp, Docker Guide, and Update of the Documentation Index.

* Updating Docker documentation: simplification of instructions and adding links to detailed guides. Revision of configuration options and troubleshooting sections.

* Edit

* Edit docs

* Enhance documentation for Scheduler, Security, and Auto-Update features

- Revamped the Scheduler documentation to include detailed features, configuration options, and usage examples.
- Expanded the Security guide with comprehensive incident response strategies, privacy measures, and monitoring practices.
- Updated the Auto-Update section to clarify configuration, methods, and best practices for maintaining system integrity.

* Improved error handling and added crash recovery in the Microsoft Rewards bot. Added configuration for automatic restart and handling of local search queries when trends fail.

* Fixed initial point counting in MicrosoftRewardsBot and improved error handling when sending summaries to webhooks.

* Added unified support for notifications and improved handling of webhook configurations in the normalizeConfig and log functions.

* UPDATE LOGIN

* EDIT LOGIN

* Improved login error handling: added recovery mismatch detection and the ability to switch to password authentication.

* Added a full reference to configuration in the documentation and improved log and error handling in the code.

* Added context management for conclusion webhooks and improved user configuration for notifications.

* Mini edit

* Improved logic for extracting masked emails for more accurate matching during account recovery.
2025-09-26 18:58:33 +02:00

9.3 KiB
Raw Blame History

🔒 Security & Privacy Guide

🛡️ Comprehensive security measures and incident response
Protect your accounts and maintain privacy

🎯 Security Overview

This guide explains how the script detects security-related issues, what it does automatically, and how you can resolve incidents safely.

Security Features

  • 🚨 Automated detection — Recognizes account compromise attempts
  • 🛑 Emergency halting — Stops all automation during incidents
  • 🔔 Strong alerts — Immediate notifications via Discord/NTFY
  • 📋 Recovery guidance — Step-by-step incident resolution
  • 🔒 Privacy protection — Local-only operation by default

🚨 Security Incidents & Resolutions

Recovery Email Mismatch

Symptoms

During Microsoft login, the page shows a masked recovery email like ko*****@hacker.net that doesn't match your expected recovery email pattern.

What the Script Does

  • 🛑 Halts automation for the current account (leaves page open for manual action)
  • 🚨 Sends strong alerts to all channels and engages global standby
  • ⏸️ Stops processing — No further accounts are processed
  • 🔔 Repeats reminders every 5 minutes until intervention

Likely Causes

  • ⚠️ Account takeover — Recovery email changed by someone else
  • 🔄 Recent change — You changed recovery email but forgot to update config

How to Fix

  1. 🔍 Verify account security in Microsoft Account settings
  2. 📝 Update config if you changed recovery email yourself: 
    {
  "email": "your@email.com",
  "recoveryEmail": "ko*****@hacker.net"
}
  3. 🔐 Change password and review sign-in activity if compromise suspected
  4. 🚀 Restart script to resume normal operation

Prevention

  • Keep recoveryEmail in accounts.json up to date
  • Use strong unique passwords and MFA
  • Regular security reviews

"We Can't Sign You In" (Blocked)

Symptoms

Microsoft presents a page titled "We can't sign you in" during login attempts.

What the Script Does

  • 🛑 Stops automation and leaves page open for manual recovery
  • 🚨 Sends strong alert with high priority notifications
  • ⏸️ Engages global standby to avoid processing other accounts

Likely Causes

  • ⏱️ Temporary lock — Rate limiting or security check from Microsoft
  • 🚫 Account restrictions — Ban related to unusual activity
  • 🔒 Verification required — SMS code, authenticator, or other challenges

How to Fix

  1. Complete verification challenges (SMS, authenticator, etc.)
  2. ⏸️ Pause activity for 24-48h if blocked repeatedly
  3. 🔧 Reduce concurrency and increase delays between actions
  4. 🌐 Check proxies — Ensure consistent IP/country
  5. 📞 Appeal if needed — Contact Microsoft if ban is suspected

Prevention

  • Respect rate limits — Use humanization settings
  • Avoid patterns — Don't run too many accounts from same IP
  • Geographic consistency — Use proxies from your actual region
  • Human-like timing — Avoid frequent credential retries

🔐 Privacy & Data Protection

Local-First Architecture

  • 💾 All data local — Credentials, sessions, logs stored locally only
  • 🚫 No telemetry — Zero data collection or external reporting
  • 🔒 No cloud storage — Everything remains on your machine

Credential Security

{
  "accounts": [
    {
      "email": "user@example.com",
      "password": "secure-password-here",
      "totpSecret": "optional-2fa-secret"
    }
  ]
}

Best Practices:

  • 🔐 Strong passwords — Unique, complex passwords per account
  • 🔑 2FA enabled — Time-based one-time passwords when possible
  • 📁 File permissions — Restrict access to accounts.json
  • 🔄 Regular rotation — Change passwords periodically

Session Management

  • 🍪 Persistent cookies — Stored locally in sessions/ directory
  • 🔒 Encrypted storage — Session data protected at rest
  • Automatic expiry — Old sessions cleaned up automatically
  • 🗂️ Per-account isolation — No session data mixing

🌐 Network Security

Proxy Configuration

{
  "browser": {
    "proxy": {
      "enabled": true,
      "server": "proxy.example.com:8080",
      "username": "user",
      "password": "pass"
    }
  }
}

Security Benefits:

  • 🎭 IP masking — Hide your real IP address
  • 🌍 Geographic flexibility — Appear from different locations
  • 🔒 Traffic encryption — HTTPS proxy connections
  • 🛡️ Detection avoidance — Rotate IPs to avoid patterns

Traffic Analysis Protection

  • 🔐 HTTPS only — All Microsoft communications encrypted
  • 🚫 No plaintext passwords — Credentials protected in transit
  • 🛡️ Certificate validation — SSL/TLS verification enabled
  • 🔍 Deep packet inspection resistant

🛡️ Anti-Detection Measures

Humanization

{
  "humanization": {
    "enabled": true,
    "actionDelay": { "min": 150, "max": 450 },
    "gestureMoveProb": 0.4,
    "gestureScrollProb": 0.2
  }
}

Natural Behavior Simulation:

  • ⏱️ Random delays — Variable timing between actions
  • 🖱️ Mouse movements — Subtle cursor adjustments
  • 📜 Scrolling gestures — Natural page interactions
  • 🎲 Randomized patterns — Avoid predictable automation

Browser Fingerprinting

  • 🌐 Real user agents — Authentic browser identification
  • 📱 Platform consistency — Mobile/desktop specific headers
  • 🔧 Plugin simulation — Realistic browser capabilities
  • 🖥️ Screen resolution — Appropriate viewport dimensions

📊 Monitoring & Alerting

Real-Time Monitoring

{
  "notifications": {
    "webhook": {
      "enabled": true,
      "url": "https://discord.com/api/webhooks/..."
    },
    "ntfy": {
      "enabled": true,
      "url": "https://ntfy.sh",
      "topic": "rewards-security"
    }
  }
}

Alert Types:

  • 🚨 Security incidents — Account compromise attempts
  • ⚠️ Login failures — Authentication issues
  • 🔒 Account blocks — Access restrictions detected
  • 📊 Performance anomalies — Unusual execution patterns

Log Analysis

  • 📝 Detailed logging — All actions recorded locally
  • 🔍 Error tracking — Failed operations highlighted
  • 📊 Performance metrics — Timing and success rates
  • 🛡️ Security events — Incident timeline reconstruction

🧪 Security Testing

Penetration Testing

# Test credential handling
$env:DEBUG_SECURITY=1; npm start

# Test session persistence  
$env:DEBUG_SESSIONS=1; npm start

# Test proxy configuration
$env:DEBUG_PROXY=1; npm start

Vulnerability Assessment

  • 🔍 Regular audits — Check for security issues
  • 📦 Dependency scanning — Monitor npm packages
  • 🔒 Code review — Manual security analysis
  • 🛡️ Threat modeling — Identify attack vectors

📋 Security Checklist

Initial Setup

  • Strong passwords for all accounts
  • 2FA enabled where possible
  • File permissions restricted to user only
  • Proxy configured if desired
  • Notifications set up for alerts

Regular Maintenance

  • Password rotation every 90 days
  • Session cleanup weekly
  • Log review for anomalies
  • Security updates for dependencies
  • Backup verification of configurations

Incident Response

  • Alert investigation within 15 minutes
  • Account verification when suspicious
  • Password changes if compromise suspected
  • Activity review in Microsoft account settings
  • Documentation of incidents and resolutions

🚨 Emergency Procedures

Account Compromise Response

  1. 🛑 Immediate shutdown — Stop all script activity
  2. 🔒 Change passwords — Update all affected accounts
  3. 📞 Contact Microsoft — Report unauthorized access
  4. 🔍 Audit activity — Review recent sign-ins and changes
  5. 🛡️ Enable additional security — Add 2FA, recovery options
  6. 📋 Document incident — Record timeline and actions taken

Detection Evasion

  1. ⏸️ Temporary suspension — Pause automation for 24-48h
  2. 🔧 Reduce intensity — Lower pass counts and frequencies
  3. 🌐 Change IPs — Rotate proxies or VPN endpoints
  4. Adjust timing — Modify scheduling patterns
  5. 🎭 Increase humanization — More natural behavior simulation

🔗 Quick Reference Links

When the script detects a security incident, it opens this guide directly to the relevant section:

🔗 Related Guides