Unable to use Selenium to automate Chase site login

When I try to log into the Chase website using Selenium (Python), I'm hit with the following error message:

Chase Login Failure Image

However, using "human" login works fine. It seems that when Selenium finds an element it triggers the issue.

Am I missing something? I've tried to find the answer on stackoverflow but to no avail.

Update:

The expected result is that the script would successfully allow me to login programatically.

Here's the code sample below:

import time
import os

from selenium import webdriver

CHASE_USER_ID = os.getenv('CHASE_USER_ID', None)
CHASE_PASSWORD = os.getenv('CHASE_PASSWORD', None)

assert CHASE_USER_ID is not None, 'Chase user id not set'
assert CHASE_PASSWORD is not None, ' Chase password not set'


def main():
    chrome_options = webdriver.ChromeOptions()
    driver = webdriver.Chrome(r'./chromedriver', chrome_options=chrome_options)

    try:
        driver.get('https://secure07c.chase.com/web/auth/#/logon/logon/chaseOnline?')

        time.sleep(2)

        user_element = driver.find_element_by_id('userId-input-field')  # Finding an element here seems to make the login process fail 
        user_element.send_keys(CHASE_USER_ID)

        password_element = driver.find_element_by_id('password-input-field')
        password_element.send_keys(CHASE_PASSWORD)

        time.sleep(2)

        password_element.submit()

        time.sleep(10)
    finally:
        driver.quit()


if __name__ == '__main__':
    main()

Solution 1:

I took your code and simplified the structure and ran the test with minimal lines of code as follows:

from selenium import webdriver
from selenium.webdriver.common.by import By
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.support.ui import WebDriverWait


options = webdriver.ChromeOptions()
options.add_argument("start-maximized")
options.add_argument("--disable-extensions")
driver = webdriver.Chrome(chrome_options=options, executable_path=r'C:\Utility\BrowserDrivers\chromedriver.exe')
driver.get("https://secure07c.chase.com/web/auth/#/logon/logon/chaseOnline?")
WebDriverWait(driver, 20).until(EC.element_to_be_clickable((By.CSS_SELECTOR, "input.jpui.input.logon-xs-toggle.clientSideError"))).send_keys("jsmiao")
driver.find_element_by_css_selector("input.jpui.input.logon-xs-toggle#password-input-field").send_keys("hello")
driver.find_element_by_css_selector("button#signin-button>span.label").click()

Similarly, as per your observation I have hit the same roadblock with the error as:

Chase Login Failure Image

It seems the click() on the element with text as Sign in does happens. Though the username / password lookup is initiated but the process is interupted. While inspecting the DOM Tree of the webpage you will find that some of the <script> tag refers to JavaScripts having keyword dist. As an example:

  • <script src="https://static.chasecdn.com/web/library/blue-boot/dist/2.20.3/blue-boot/js/main-ver.js"></script>
  • <script type="text/javascript" charset="utf-8" async="" data-requirecontext="_" data-requiremodule="blue-vendor/main" src="https://static.chasecdn.com/web/library/blue-vendor/dist/2.11.1/blue-vendor/js/main.js"></script>
  • <script type="text/javascript" charset="utf-8" async="" data-requirecontext="_" data-requiremodule="blue/main" src="https://static.chasecdn.com/web/library/blue-core/dist/2.16.3/blue/js/main.js"></script>
  • <script type="text/javascript" charset="utf-8" async="" data-requirecontext="_" data-requiremodule="blue-app/main" src="https://static.chasecdn.com/web/library/blue-app/dist/2.15.1/blue-app/js/main.js"></script>

Which is a clear indication that the website is protected by Bot Management service provider Distil Networks and the navigation by ChromeDriver gets detected and subsequently blocked.


Distil

As per the article There Really Is Something About Distil.it...:

Distil protects sites against automatic content scraping bots by observing site behavior and identifying patterns peculiar to scrapers. When Distil identifies a malicious bot on one site, it creates a blacklisted behavioral profile that is deployed to all its customers. Something like a bot firewall, Distil detects patterns and reacts.

Further,

"One pattern with Selenium was automating the theft of Web content", Distil CEO Rami Essaid said in an interview last week. "Even though they can create new bots, we figured out a way to identify Selenium the a tool they're using, so we're blocking Selenium no matter how many times they iterate on that bot. We're doing that now with Python and a lot of different technologies. Once we see a pattern emerge from one type of bot, then we work to reverse engineer the technology they use and identify it as malicious".


Reference

You can find a couple of detailed discussion in:

  • Is there a way to use Selenium WebDriver without informing the document that it is controlled by WebDriver?
  • Selenium webdriver: Modifying navigator.webdriver flag to prevent selenium detection
  • Akamai Bot Manager detects WebDriver driven Chrome Browsing Context
  • Is there a version of selenium webdriver that is not detectable?