Add a mention of fraudulent deception of testers

[karlgroves]

It has been alleged that accessiBe detects the use of WAVE and then fraudulently inserts code specifically to make the page appear to "pass" the WAVE test.

https://twitter.com/jared_w_smith/status/1421138925637181440

Indeed, there are references to wave throughout accessiBe's JS payload, though at the moment I'm not sure what they do. There's also a reference to wave.webaim.org in the code. That said, I think we'll need more details before something can be written about this.

[DagA11y]

Code is minified and obfuscated, so not so easy to debug, but I managed to get some info;

Current script url: https://acsbapp.com/apps/app/dist/js/app.js

Code checking for "wave.webaim.org"

window[r(4078)][r(4023)].includes("wave.webaim.org") ? (y[r(3682)] = !0, y[r(4686)] = AJS[r(583)][r(3140)](window.parent[r(4078)][r(4023)].split(r(1674))[r(1948)](), !0), e = AJS[r(1141)][r(3821)](r(775), { class: r(4062), alt: r(1362), src: "https://acsbapp.com/apps/app/dist/media/whl.jpg" }), AJS[r(1141)][r(2572)](e, { opacity: "0" }), AJS[r(1141)][r(724)](e, document[r(603)], !1), AJS[r(1141)].classes(AJS[r(1229)](r(4107)), r(2558), !0), h[r(3311)](r(4833), !0, { action: "lightContrast" }, !1).store(), h.updateAction("accessMode", !0, {}, !1)[r(3686)](), h[r(1017)] = {}, D[r(3257)][r(697)](), setInterval(function() { var a = r; e.complete && AJS.elements[a(4387)](AJS.picks(a(1035))), document[a(3715)] !== a(4590) || i.waveProcessDone || (i[a(1594)] = !0, setTimeout(function() { var e = a; AJS.elements[e(2032)](AJS[e(1229)](e(4107)), e(2558)), f[e(3363)](e(4833), { action: "lightContrast", actionGroup: e(2201) }) }, 1500)) }, 100))

window[r(4078)][r(4023)] is window["location"]["href"] so basically checks if site is being audited via Wave

It seems like image https://acsbapp.com/apps/app/dist/media/whl.jpg is injected

But nevertheless I think they are manipulating the Wave extension in some way but they do not manage to trick the wave.webaim.org contrast checks, at least based on my quick tests;

1. open https://www.accessibe.com and use the Wave extension - 0 errors and 0 contrast errors
2. open https://wave.webaim.org/ and check https://www.accessibe.com - 0 errors and 105 contrast errors

So we can maybe conclude that this is not only suspicious but that there are some mechanisms that try to manipulate Wave.

Somebody more proficient in de-obfuscating can for sure find even more info...

[sivakusayan]

This can be deobfuscated more, but is this legal? I guess the JS is technically publically available but I'm not that familiar with the law surrounding this.

That being said, the obfuscation here isn't great and it's straightforward to crack most of _runWaveProcess once you realize that r is just a numerically shifted version of that extremely huge enum.

As a side note, I would be curious if there are other kinds of tampering going on here with other tools. I'll probably look into it for my own personal curiosity but I probably wouldn't talk about that publicly out of fear of legal risk.

Edit: Removed my r/iamverysmart vibes.

[anevins12]

I looked into this in 2020 and there was tampering. I have the breakdown, but I am concerned to share now you mention legality.

[anevins12]

You can use this bookmarklet to prove the theory of tampering and without revealing the unobscured code: https://codepen.io/anevins12/pen/mdVOROb