
A Facebook Sixth Sense - jlemos
http://kirszenberg.com/facebook-sixth-sense
======
bhuga
Fun article! I appreciate the author taking the time to go through the
details, like formatting the source of the javascript, and figuring out the
module system. Hacking on other peoples' websites is great fun. Everyone
should try it, and I hope this article encourages a few people to!

I hack on Slack, which is complex enough that even small UI changes require
hideous hacks. And since the javascript and CSS changes out from under you
constantly, nothing ever works for long. I'm reverse engineering something to
create an opportunity to produce code that runs against an API that will
change without notice. But I get big, visible improvements I see every day,
and the feeling of changing something that wasn't meant to be changed is just
so unreasonably satisfying!

~~~
studentrob
I'm crossing my fingers that this, or a comment like it about hacking, remains
the top comment in this thread, rather than some warning... _please be true to
your name, please be true to your name, ..._ ;-). Just kidding I don't care.
Fun article indeed.

------
sdp
A little while ago, someone used Facebook's last active time to track their
friends' sleep: [https://medium.com/life-tips/how-you-can-use-facebook-to-
tra...](https://medium.com/life-tips/how-you-can-use-facebook-to-track-your-
friends-sleeping-habits-505ace7fffb6#.9irq1lnbp)

~~~
Johnny_Brahms
I remember a bunch of friends being upset about this. Apparently it's an
outrage that your friends can do this, and perfectly fine that facebook
probably does it all the time.

~~~
lazzlazzlazz
Having somebody intentionally look into _your life_ , individually, because of
some possibly perverse or unwanted interest in you is extremely creepy.

Having a large company store some data you generated in a server farm
somewhere while a mindless algorithm does some math with that data to shuffle
a few ads around for you to see is utterly banal and not creepy.

~~~
gertef
> Having a large company store some data you generated in a server farm
> somewhere

... and make it a available for somebody to intentionally look into your life,
individually, because of some possibly perverse or unwanted interest in you

------
dasyatidprime
So, as a code example, fine---but I'd caution against actually using this with
your friends unless you know they're okay with it. They will be acting under
certain social expectations with regard to when and how people can see their
typing notifications based on when and how they were able to see them before,
and if you tweak your way into getting more access without your conversation
partners knowing it beforehand, you're at least being sneaky, and possibly
creepy or rude depending on the attitudes of your circle. The flow of the
machine transmissions doesn't currently constitute something visible enough to
hang social norms off of, so be careful not to treat it as the anchor for them
by mistake. (This applies to other implementations of similar things, as well,
such as "Psychic Mode" for Pidgin.)

~~~
Freak_NL
Facebook users are apparently broadcasting the fact that they are typing to
their conversation partners, why should you ignore that information? If you
don't like that, disable that feature, or complain to Facebook if it is not
something you can disable yourself (or don't use Facebook).

It can't hurt to raise some awareness of what you are invisibly broadcasting
in terms of data on-line.

(I always liked how this feature could be disabled in Gaim and Pidgin.)

~~~
thomasahle
I suppose it would be even easier to make a script that blocks facebook from
sending this information? Does it already exist?

~~~
MasterScrat
Yes, "Facebook™ Chat Privacy" Chrome extension:

[https://chrome.google.com/webstore/detail/facebook-chat-
priv...](https://chrome.google.com/webstore/detail/facebook-chat-
privacy/gfpgaanechfneiboempkfjghninbibjn?hl=en)

~~~
ryanmonroe
Anyone else get an error when trying to add this extension?

>Package is invalid. Details: 'Could not load background script
'tracksy/tracksy.js'.'.

------
K0nserv
I used to have a rule in my ad blocker that blocked the typing notification
and read notification from being sent. Both of which are features that I
despise

When typing a `POST
[https://www.facebook.com/ajax/messaging/typ.php?dpr=1`](https://www.facebook.com/ajax/messaging/typ.php?dpr=1`)
is sent for example.

~~~
dorian-graph
Used to? Did you stop or does it no longer work? Was it as easy as adding that
URL to your ad blocker blacklist?

~~~
K0nserv
I've started using a bundled app for messenger.com so haven't looked into
blocking them for that. Also use the mobile Messenger app a fair bit.

I'd like to switch away from the Facebook platform, but it's seriously
difficult to convert people away from it.

~~~
scalio
Just do it. Seriously, moving away from fb is important, but it won't be seen
as such as long as people like you don't flat out refuse to use the crap. It's
worked out extremely well personally, drastically cutting down on social
noise, thus getting distracted less. Somehow, people who actually wanted to
stay in touch, managed to over different channels (of which there's a fuckton;
signal being my goto solution).

~~~
omgdlight
Why signal? What alternatives do you use / have you considered?

I'm still on facebook messenger but I mostly off facebook otherwise (and have
settings to make it difficult to track pictures of me), and I'm curious to
hear a good comparison of messaging software.

------
thomasahle
Contrary to popular belief, Ajax is actually one of the best things to have
happened for hooking up to Web Apps and scraping. You used to have to walk
through the obscure rendered html, now you mostly get to access the raw data
in json format.

~~~
jtmarmon
is this really a contrarian opinion? i feel like this is a pretty obvious fact
that it's easier to read network requests to scrape a website than parsing
html

~~~
alanwatts
Is there a specific tool you would recommend for doing this?

~~~
slig
Chrome Dev Tools is pretty awesome. You can right-click a request and get an
'curl' request with cookies and everything that can be replayed on a terminal.

------
marak830
Huh this was a really interesting write up on semi-obscured code. I had never
seriously thought about crawling through popular sites code like that, I'm
definitely going to have to give it a go!

~~~
MasterScrat
I would really enjoy more such in-depth explanations about major websites.

A bit like this guy's series on game engines:
[http://fabiensanglard.net/quake3/](http://fabiensanglard.net/quake3/)

------
MzHN
The article is great and I enjoyed it. It gives good insight into React and
inspecting minified web apps, however I'd like to point out two other ways you
could go about it.

Sometimes you can't get inside the application, because the JavaScript is
scoped in such a way that nothing leaks out. In those cases you can make an
extension that runs before any script on the page, and hijacks native JS such
as XMLHttpRequest or WebSocket.

In other words, declare your own WebSocket, and pass everything through to the
real one, while intercepting any data you're interested in.

Also for this specific case, you could use Chrome's built-in API for
extensions to intercept requests.[1]

As a benefit in some cases these methods can be less prone to breaking changes
in the web app, but the opposite can also be true.

[1]
[https://developer.chrome.com/extensions/webRequest](https://developer.chrome.com/extensions/webRequest)

~~~
poxrud
Thanks for the extension. To quickly see what's going on you can also just
monkey patch the native functions right in the console.

------
blowski
Fascinating article, and thanks for taking the time to research it and write
up the results.

This kind of thing makes me think that Facebook et al will eventually push for
a way of having closed source client-side scripting.

~~~
lossolo
Good for us that there is no such thing as closed source client side logic in
web applications (without installing extensions/plugins). You can only
obfuscate.

~~~
oolongCat
Well, if they introduced some "special feature" that's available only when you
install a certain plugin, I am sure millions of people will do it just because
they can get the "special feature."

~~~
icebraining
Browsers won't support plugins for long (extensions yes, but those are as open
as websites).

Still, even a binary can be reverse engineered; you see it all the time.

------
b34r
I think I recall this being implemented back in the AIM days. A "psychic"
plugin for Pidgin or something like that.

------
flashman
I remember, back in the old days, messenger client ICQ would send your
keystrokes as you typed them, exposing your spelling mistakes for all to see.

~~~
ashitlerferad
Unix talk was awesome, I wish it would return.

------
MasterScrat
A somehow similar hack I want to do when I have the time:

When you have a WhatsApp Web tab opened, it keeps a socket connection opened
that gives you information such as your phone battery level.

I really want an icon on the Chrome toolbar showing me that charge level.

~~~
roberto
You can install owntracks ([http://owntracks.org/](http://owntracks.org/)) on
your phone, and configure it to publish the battery level (as well as your
location) to an mqtt broker.

------
ri_k
Created an account to say how much I enjoyed this article, thank you for
sharing it!

------
chinathrow
The same thing has been possible with Pidgin for ages - it opened the chat
window automatically when a contact started typing.

~~~
vishbar
It was definitely an option for AIM, and I believe it was an optional plugin
rather than a default feature. I remember freaking out friends in high school
:-)

~~~
kawsper
> I remember freaking out friends in high school :-)

That was the primary feature :) It worked for the MSN/Microsoft Messenger
protocol as well.

------
Kiro
Won't these minified names possibly change with the next JS deploy at
Facebook?

~~~
Morhaus
They will. However, if you take a look at the final code snippet, you'll see
we're not relying on any minified name. The public interface of modules
remains intact through minification.

------
IshKebab
Ha I remember the same thing used to be possible with MSN if you used a third
party client.

You could have it open a window when someone started typing to you, before
they sent their message.

~~~
yeahmaybe
I also immediately thought about the MSN customization days! Is fb the
customizable platform of this time?

For MSN it was also non-officially supported and it grew quite a community of
devs who tinkered around things like this, would be interesting to see a
renaissance of such projects.

------
toni

        I think the biggest biggest takeaway of this blog post 
        is how easy it is to hook into the code of a
        well-structured modern web application.
    

So does this mean that spaghettification of your web application code will
work as a higher barrier to enter against these kind of clever workarounds?

Admittedly, writing spaghetti code will make the programmer feel miserable,
but does it really deter people from hacking on your code?

------
Ketz-san
This is really interesting, and takes me back to a few months ago, when I
tried to read the FB Newsfeed from the console. I did it more crudely, but I
lack the knowledge the OP has, especially seeing how to integrate with React.

I had had an idea for a nice iOS app, which would in part rely on listing
Facebook posts from your friends. I thought this would be easy enough, so I
designed it before I prototyped, which is something I never do.

Sure enough, when I had finished the design and finally got to prototyping, I
realised that Facebook simply no longer allow access to the read_stream API
endpoint, unless you get authorisation from them (seems like no one does).
Info here: [https://developers.facebook.com/docs/facebook-
login/permissi...](https://developers.facebook.com/docs/facebook-
login/permissions/v2.5#reference-read_stream)

Fuelled by ingenuity, and because I had the design ready, I thought I'd try
and simply load the user's news feed on a UIWebView, and read the data I need
from elements in the DOM. I'm pretty sure this is against FB's ToS and
wouldn't fly for long, but I kind of want to give it a go anyway.

I got to a place where I proved it works, but not always reliably and it's
certainly hacky.

If you want to give it a go, load up
[https://m.facebook.com](https://m.facebook.com) on your favourite browser,
and then copy/paste + run the JS code in this jsFiddle
([https://jsfiddle.net/Letwernb/](https://jsfiddle.net/Letwernb/)), to your
console.

It'll list whatever posts it finds on your feed, and give you some info on
them. I believe at the moment I'm skipping ads and not so relevant posts, such
as "friend shared a link".

I've also got a bit of code that lets me load more posts, until I've reached
the 20 I need to display in the app. This is hackier still.

I've got some challenges though. Like I said, it's hacky and relies on FB not
changing certain class names, and because the date for each post comes as a
string ("2 hours ago"), I need to find a way to convert that back to a
timestamp so I can re-order the posts.

Maybe there's an easier way to do what I was trying to, using a similar
approach as the one described in this article?

------
noobermin

      And there’s nothing like that excruciating feeling when you watch it disappear, never to be seen again.
    

True honesty here, that has never elicited that response in me unless I held a
sexual and/or romantic interest in the person on the other end. Other times,
it's usually annoyance and or ambivalence.

------
JorgeGT
The article was very clever and interesting (also the trip down memory lane, I
remember this being possible in MSN Messenger!) but the console warning was a
first for me, it's even nicely localized. Do more websites do this?

~~~
MasterScrat
Regarding the warning, a nice StackOverflow question with an answer for a
Facebook engineer on the topic:

[http://stackoverflow.com/questions/21692646/how-does-
faceboo...](http://stackoverflow.com/questions/21692646/how-does-facebook-
disable-the-browsers-integrated-developer-tools)

------
vvoyer
The github repository of the hack: [https://github.com/Morhaus/facebook-sixth-
sense](https://github.com/Morhaus/facebook-sixth-sense)

------
RRRA
I've been using pidgin for this feature for years, people freak out when they
don't see you typing but you say something before they even start... ;)

------
Trundle
Neat tool! Are you able to make it record who/when for when the notification
occurs but no message follows? It'd turn it from neat to useful imo.

~~~
Morhaus
That's a great suggestion! If you'd like to see this implemented, please open
an issue. [https://github.com/Morhaus/facebook-sixth-
sense/issues](https://github.com/Morhaus/facebook-sixth-sense/issues)

~~~
Trundle
Glad you think so. Done!

------
paws
Enjoyed reading through this, nice work!

------
antoaravinth
Never thought about binding React Dev tools on Facebook and watch the DOM
updates. Quite fun!

------
orlik_sixteen
Is anyone try this extension? On my Chromium doesn't work.

------
Cozumel
Very cool!

------
blazespin
Should have reported it and got your 10k.fb needs to add a flag not to send
typing message if no msg in last 30 minutes.

~~~
javawizard
Seriously? This is hardly a security issue.

