Gaming Foursquare With 9 Lines of Perl

caffeinemessiah writes "With the recent launch of Facebook Places, the rise to prominence of Foursquare and GoWalla, and articles in the New York Times about the increasing popularity of 'checking in' to locations using GPS-enabled mobile phones, a number of businesses are wondering how to reward frequent patrons. But exactly how susceptible are these 'location based services' to being abused? A researcher at the University of Illinois at Chicago shows how easily Foursquare can be gamed in 9 Perl statements, and invites readers to submit more succinct versions of the code to game the system." An anonymous reader contributes a link to a similar article about spoofing Facebook Places to create an alibi.

SPHREAKING

I am happy that this is taking off. It's the only way we can fight back against data hoarders.

I propose SOCIAL PHREAKING: We need a P2P client that pretends to be a user of a social network: twitter, facebook, linked in, whatever. The software will login periodically (each client does it at a different rate, in fact, they negotiate.)

The idea is, the various fake accounts form relationships with one another. Every now and then they create a new account and share passwords where they login and 'appear to login' to be from a different location. The growth should be such that it is not suspicious and not an abuse of service. It would make more sense for every node to have only 1 or 2 accounts at most, to simulate families with accounts per family member.

• You can use a chat bot to generate the junk that goes into twitter feeds and people's walls. A markov would be a good one.
• You can spider nouns, hobbies from Wikipedia and randomly generate names and demographics. Of course they would have to be corrobative with the user's real location.
• You can use pictures from the various leaked archives to upload pictures.
• You can randomly spider groups and join them and so on.

With enough privacy advocates on the phreaknet should be able to generate enough traffic and data to distort the demographics at least slightly. We could make poison the data hoarders to make them think that everyone loves a certain brand of ice cream and then it would become more popular.

We can restore the tip of knowledge and power to ourselves.

Re:SPHREAKING

[Requiem18th]

I'd like to subscribe to your mailing list.

Re:SPHREAKING

[SirRedTooth]

Then the people who abuse the demographics see a amazing opportunity, they are the only ones who can differentiate the distorted and real data. So they can use their unique knowledge to put themselves ahead of the game. Assuming there is only one group of people distorting the data in a certain region. Anyway, who cares if some company knows i like mint ice cream. Or that I like to go jogging from 4pm - 7pm. As long as they dont bug my bathroom and take pictures of me in the shower I really don't care. Actually it would be quite nice to have products that suit me a bit more than ones on the market already. Whats the big deal? I already disclose a huge amount of information about myself to colleges, friends and partners so why should I go all ape shit when somebody tries to find out whether people in my village like tea or coffe.

Re:SPHREAKING

[Starayo]

They make kava ice cream? As in, from the roots of the kava plant?

Huh. How about that.

Re:SPHREAKING

[Geoff-with-a-G]

A very interesting idea, but I think spam shows us that whoever actually developed and implemented such systems would most likely use them to intentionally skew the data towards something they could profit from, rather than adding noise to degrade the data.

How much of your spam is not related to making money off you?

I imagine this massive and convincing network of fake people would suddenly discover that they all love Axe body spray...

Re:SPHREAKING

[fulldecent]

Spammers already do this, searched twitter lately?

Luckily

[RaymondKurzweil]

Foursquare isn't useful for anything important.

Re:Luckily

[naz404]

Sure it is! It is a revolutionary app indispensable for burglars everywhere!

Re:Luckily

[TheJokeExplainer]

and hitmen!

Re:Luckily

[WrongSizeGlass]

Foursquare isn't useful for anything important.

Clearly it functions well as the target of Perl scripts and being the butt of /. jokes. Hmm, I see you point.

Re:Luckily

[forkazoo]

and guys who want to take out a hit on the burglars!

It all sort of balances out.

Re:Luckily

[mweather]

Like they need an app to know that a house with no cars in the driveway in the middle of the day on a weekday is empty.

Re:Luckily

[foniksonik]

See the key point is not that you are away, it's how far away and for how long.

Re:Luckily

[WNight]

Or stealing from hit-men. They'd have the cool toys...

Re:Luckily

[mweather]

How far doesn't matter, only how long. And for virtually everyone, that is 9AM to 5PM or some approximation thereof. Thieves know you're going to be away for hours, and it only takes them minutes. You could be out getting milk and they'd have enough time to hit you before you got back.

Julian Assange...

[Jazz-Masta]

How long before Julian Assange is proven (through his Facebook account) to have been at a McDonald's in Seattle when the alleged assault took place?

Re:Julian Assange...

[MachDelta]

A better question is, how long will it take before some random (relative) nobody is prosecuted for a crime based on their facebook 'location' ?

Of course it's easy

[TheLink]

Not like there's going to be lots of fancy safeguards to try to prevent you from faking the GPS coordinates - which can come from a device in your control.

I think it was obvious to many from the start that it could be gamed, but most of those same people aren't interested in gaming it.

Re:Of course it's easy

[Atryn]

"Not like there's going to be lots of fancy safeguards to try to prevent you from faking the GPS coordinates - which can come from a device in your control."

Or, for that matter, to prevent others from faking your GPS coordinates? If you opt out of providing your real location, where is your data to prove you WEREN'T at the scene of the crime when someone presents "data" that says you WERE there? Interesting conundrum...

Re:Of course it's easy

[jeremymiles]

The bit where you enter their password might make it a little bit tricky.

Re:Of course it's easy

[Atryn]

The bit where you enter their password might make it a little bit tricky.

I submit Exhibit A, showing that Foursquare and Gowalla (at least... who knows how many other apps) send usernames and passwords in plaintext.

no need for srand;

[Danny+Rathjens]

"If srand() is not called explicitly, it is called implicitly at the first use of the "rand" operator." -- perldoc -f rand

So there is a wasted line right there. This whole thing is quite silly, though. perlgolf can be a lot more challenging and fun than making a simple http post. :)

Re:no need for srand;

[MacGyver2210]

This is not true of the Microsoft-based rand() function though. If you don't seed before you call rand() it will ALWAYS return 42 as the first random number(gee, I wonder if that's a joke), and the subsequent sequence of numbers are also always the same. I always call it to be sure, because what's a few clock cycles to make certain you're truly randomizing?

Re:no need for srand;

[pyrrhonist]

Perl itself calls srand() if it hasn't been called (regardless of what platform it's running on). You don't need to do it explicitly.

Re:no need for srand;

[slaingod]

I thought the same thing, until I ran across a situation in ruby's Passenger, where they were initializing the srand with time or something similar, but of course all the servers were restarted at the same time. This then caused my UUID's to collide in another library because we had removed a 'superflous' srand in our code that was masking the problem.

Just saying you don't always know what the code that isn't yours is doing, so it is probably a good idea to assume it isn't done and do it explicitly.

Re:no need for srand;

[chromatic]

Just saying you don't always know what the code that isn't yours is doing....

In this case, read Perl's documentation for rand().

Re:no need for srand;

[slaingod]

Yes, in this specific case of 9 lines of code that aren't doing anything with many outside libraries, etc., it may be possible to read the documentation, and assuming the documentation is correct, rely on the default behavior. That is very rarely the case however.

However when I have come across a particular problem that is resolved by being thorough, and ensuring things are initialized, my tendency is to remember that and keep doing it in the future, which is the case for srand/rand.

Just sharing my story.

Warrant has been cancelled

[wjh31]

apparently, this has already been cancelled http://www.bbc.co.uk/news/world-europe-11049316

Re:Warrant has been cancelled

[WrongSizeGlass]

I guess we all need to wait for someone in Sweden's Prosecution Authority office to leak the truth about this ;-)

9 lines of Perl?

[colinrichardday]

How long before someone gets it down to five lines?

Re:9 lines of Perl?

[mr_mischief]

Ummm... already done. Do I get a cookie?

Re:9 lines of Perl?

[colinrichardday]

Do I get a cookie?

No.

Easy golf: round one

[mr_mischief]

#!/usr/bin/perl -W
use IO::Socket;
srand;
sleep(rand()*600);
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
        Proto =>'tcp', Type=>SOCK_STREAM) or die;
$ARGV[1] += rand() * 0.0001 - 0.00005;
$ARGV[2] += rand() * 0.0001 - 0.00005;
my $str = "vid=$ARGV[0]&private=0&geolat=$ARGV[1]&geolong=$ARGV[2]";
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:" ." Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."XXXXXX\r\nContent-length: ",
length($str)+2, "\r\n\r\n$str\r\n";
$_=;

The author didn't really even try, so it'll be easy to shorten it. Shortening it a lot is left as further exercise. I'll just get rid of some low-hanging fruit. I'm sure Perlmonks will pick up the challenge if they haven't already.

1. The random number generator is automatically seeded, so get rid of that line.
2. The results from the socket are assigned to a variable, but that variable is not printed or otherwise used. There's a whole line. It might be friendly to read the data waiting, but it's not necessary to the task.
3. Rather than assigning to the command-line arguments, the assignment to $str could have included the random perturbations, so there's two more lines.

#!/usr/bin/perl -W
use IO::Socket;
sleep(rand()*600);
my $sock = IO::Socket::INET->new(PeerAddr=>'api.foursquare.com', PeerPort=>80,
        Proto =>'tcp', Type=>SOCK_STREAM) or die;
my $str = "vid=$ARGV[0]&private=0&geolat=" . ($ARGV[1] += rand() * 0.0001 - 0.00005)
        . "&geolong=" . ($ARGV[2] += rand() * 0.0001 - 0.00005);
print $sock "POST /v1/checkin HTTP/1.1\r\nHost: api.foursquare.com\r\nUser-Agent:"
        . " Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ " ."(KHTML, like Gecko) Version/3.0 Mobile/1C10 Safari/419.3\r\nContent" ."-Type: application/x-www-form-urlencoded\r\nAuthorization: Basic " ."XXXXXX\r\nContent-length: ",
length($str)+2, "\r\n\r\n$str\r\n";

Five logical lines. Actual display lines may of course be different depending upon several factors like attempting to break long lines for viewing and the vagaries of the textual mangling on Slashdot.

Re:Easy golf: round one

[ducomputergeek]

So now you can tell Foursquare to go away as I've replaced you with a small perl script?

Re:Easy golf: round one

[kwoff]

If "use IO::Socket" counts as one line, just make a module "Foursquare::Mayor" whose import does what you did. Voila, one line! (Or, since we ignored the shebang line (which merely invokes megabytes of interpreter), why not make an executable which....)

What is foursquare? - The missing description.

[gnalle]

Foursquare is a mobile application that makes cities easier to use and more interesting to explore. It is a friend-finder, a social city guide and a game that challenges users to experience new things, and rewards them for doing so. Foursquare lets users "check in" to a place when they're there, tell friends where they are and track the history of where they've been and who they've been there with. For more information on how foursquare works, see our searchable FAQ. http://foursquare.com/about

Re:What is foursquare? - The missing description.

[xeoron]

Do you work for them?

Re:What is foursquare? - The missing description.

[mr_mischief]

There's this other application on mobile phones that lets people selectively contact those they want at a particular moment and communicate arbitrary information including that and a bunch more via simultaneous two-way voice.

Re:What is foursquare? - The missing description.

[gnalle]

I don't work for Foursquare. I just thought that the slashdot summary was inadequate, so I decided to provide the missing information..

Re:What is foursquare? - The missing description.

[mr_mischief]

Well, for one thing, there's this feature called group calling. For another, there is probably a many-to-many over IP voice chat application for your phone if you look hard enough.

And finally... WOOSH!

This is why...

[Bazman]

...we can't have nice things.

  Yeah, foursquare is a cute little idea, but if people don't play nicely it'll suck. And with current GPS and locational technologies, it'll always be open to abuse.

Also, I reckon this is how Agent Smith managed to appear a zillion times in the same location.

Re:This is why...

[interval1066]

Well, it just follows that, like just about anything on the web, anyone relying on Foursquare as an absolute reflection of reality is being foolish. I think that as a simple social tool among friends its fine, but for government spook work obviously this ain't your playground. Of course, the news is rife with stories about criminals who don't seem to believe they can be caught by anything they do on-line.

Re:This is why...

[SanityInAnarchy]

Unfortunately, aside from being "cute" for a beer or something, it could conceivably be used as evidence to show that you were in a certain place at a certain time. Exploits like these have to become pretty common before we can be reasonably sure a court will throw out the "evidence" that I checked in at the scene of the crime...

Chris Gates did some research on this

[rajats]

http://carnal0wnage.blogspot.com/2010/03/fking-with-foursquare-goes-msf-style.html

Re:stres-s.x10.mx

[WrongSizeGlass]

Wow ... reading all that was really stressful ... too bad there isn't a source for stress relief that is easily accessible. sigh

Faking geolocation in Firefox

[BerkeleyDude]

Firefox allows you to fake your geolocation: http://pugio.net/2009/07/fake-your-geolocation-in-firef.html

Re:Faking geolocation in Firefox

Apparently I was the first person on Facebook to check in at the NSA headquarters.

Re:Faking geolocation in Firefox

We're sorry, you have spelled Firefox correctly in your Slashdot post. Here at Slashdot, you are supposed to pretend to be all about "teh open sourcez" but spell the names of the all popular F/OSS apps like a retard. Some accepted misspellings are: FireFox, Fire-Fox, Fire Fox, Foxfire, FireFOX, and Mozilla. If you choose the last option, please remember to be consistent and refer to all Adobe Acrobat apps as simply "Adobe."

Thanks!
The Management

Great idea.

> NOTE: To get this script to work, you must replace XXXXXX with the Base64
> encoded version of "email/phone:password", so base64("john@doe.com:mypassword").
> Here's Google's top ranked site for online Base64 encoding.

Yeah, what should go wrong by running your email/password-combo through a server-side Base64 encoder.

Re:Great idea.

[mr_mischief]

The same thing that could go wrong by sending it in Base64 in the first place? It's an encoding, not encryption. Oh, and there are already Perl modules to do Base64 encoding, but I guess importing another module and calling it for something you can calculate once would have just ballooned his line count a whole two lines.

So wait...

[coryking]

Did any body else catch that the Foursquare API has you sending your username and password in the clear?

Please tell me you can do all this on port 443 and that your phone is using SSL.

That said, I love it!

Re:So wait...

[francium+de+neobie]

Well, unfortunately, that plain text thing isn't limited to the hack. I intercepted the traffic coming from their iPhone app and it sends your passwords in plain text too.

Re:So wait...

[Atryn]

Holy cow... I wonder how many mobile apps in general are this inept at security? I'm betting - a lot. Thanks for the link, I've shared it already...

Web 1.0 defeats Web 2.0!

[WWWWolf]

It has been shown many times and it has been shown again: Web 1.0, with all of the glorious unreadable Perl stuff, neatly and cleanly defeats all this Ruby on Rails, gradients-and-rounded-corners, Twitter-compatible, "beta" Web 2.0 nonsense!

...or maybe Web 2.0 people should stop designing RESTful asynchronous JavaScript-compatible social-media APIs that are too easily abused. It's not that hard!

(This was supposed to be a humorous post, but it's not really working today, is it?)

Re:Web 1.0 defeats Web 2.0!

[SanityInAnarchy]

It has been shown many times and it has been shown again: Web 1.0, with all of the glorious unreadable Perl stuff, neatly and cleanly defeats all this Ruby on Rails, gradients-and-rounded-corners, Twitter-compatible, "beta" Web 2.0 nonsense!

I can write that script much quicker and cleaner in Ruby. In nine lines, I might even be able to tweet the results, just to annoy you...

...or maybe Web 2.0 people should stop designing RESTful asynchronous JavaScript-compatible social-media APIs that are too easily abused. It's not that hard!

Agreed. It's actually quite easy to create a RESTFUL AJAX-compatible social-media API which isn't so easily abused.

(This was supposed to be a humorous post, but it's not really working today, is it?)

Nope.

9 lines of perl?

You can do that with 1 line of shell + wget/curl

spoofing the phone's internal GPS

[Isaac-Lew]

Wouldn't a better hack be to spoof the location reported by your phone? After all, if the feds subpoena your cell phone records & get your actual location, wouldn't that destroy your foursquare/facebook alibi (as well as making you look more suspicious)?

Hire a "hacker"

[n_djinn]

To route burglaries. I no longer need to sit outside in my El Camino watching people and trying to guess when they will be gone. no all I need is a entry level programmer to parse all the "places" info in my target area. No longer will our street crew need to be on the street surveilling.

Foursquare iPhone app sends password in plain text

[francium+de+neobie]

I did a simple Wireshark session with Foursquare's iPhone app and found they're sending my username and password in plain text over HTTP - they don't encrypt anything at all and they do it every time you open the Foursquare app.

You can see the Wireshark screenshot at my : blog post.

I'm removing the Foursquare app from my iPhone now. It's way too dangerous.

to make it portable use \015\012 instead of \r\n

cause \r\n isn't \015\012 on every platform

$ARGV[0]

[pgn674]

Is it just me, or was $ARGV[0] never initialized? I wonder what 'vid' stands for?

Re:$ARGV[0]

[Smallpond]

"Must accept a venue ID and base GPS coordinates as command line input."

$ARGV[0] is the venue ID

Gaming places

[GregNorc]

You don't need a proxy or perl to game facebook places... you can do it by changing one line in your about:config and hard code "geo.wifi.uri"

I wrote up a full tutorial on my blog for those who are interested.

Re:to make it portable use \015\012 instead of \r\

[ais523]

The only even remotely common one where it isn't is Mac OS Classic (i.e. pre-OSX), nowadays. (Although Windows will convert \n into \r\n on output to a textmode file, this will happen whether it's written as \015\012 or \r\n.) So you don't really gain anything by doing this. (A better method is to set the "binary mode" flag on the filehandle, e.g. by using "binmode" in Perl, in order to turn off platform-specific newline translation; this will avoid the \n to \r\n translation on Windows and not hurt on other common platforms. It wouldn't surprise me if this was the default for network sockets anyway, though.)