Back in January 2020 I shared a tweet demonstrating a Twilio integration with my Meural Canvas digital picture frame.
Used #twilio to add SMS to my @MeetMeural Canvas today! pic.twitter.com/IRRH9HYV3o
— Martin Amps (@MartinAmps) January 12, 2020
In the months since, guests have had a lot of fun with it and it’s been awesome seeing occasional surprise memories from friends pop up. That said, building that integration wasn’t the most straightforward task. I documented the journey (and failures) I took to arrive at the ultimate solution, with the intention of illustrating that reverse engineering is largely about persistence, and full of surprises. Most notably, I did not expect to encounter a dynamically generated virtual machine that generates and injects the headers required to validate authentication requests. I did find reference to Google’s Widevine Content Decryption Module but I’m not certain that technology is in play, or if the code tries to check for its presence at some point.
Update: Since posting, folks have noted this exact same technology is in use at Nordstrom (https://www.nordstrom.com/mwp/integration/ns_common.js?async
) and Target (https://assets.targetimg1.com/ssx/ssx.mod.js
).