Back in January 2020 I shared a tweet demonstrating a Twilio integration with my Meural Canvas digital picture frame.
Used #twilio to add SMS to my @MeetMeural Canvas today! pic.twitter.com/IRRH9HYV3o
— Martin Amps (@MartinAmps) January 12, 2020
In the months since, guests have had a lot of fun with it and it’s been awesome seeing occasional surprise memories from friends pop up. That said, building that integration wasn’t the most straightforward task. I documented the journey (and failures) I took to arrive at the ultimate solution, with the intention of illustrating that reverse engineering is largely about persistence, and full of surprises. Most notably, I did not expect to encounter a dynamically generated virtual machine that generates and injects the headers required to validate authentication requests.
Update: Since posting, folks have noted this exact same technology is in use at Nordstrom (https://www.nordstrom.com/mwp/integration/ns_common.js?async
) and Target (https://assets.targetimg1.com/ssx/ssx.mod.js
). The solution appears to be Shape Security.