Hacker News new | past | comments | ask | show | jobs | submit login
A Facebook Sixth Sense (kirszenberg.com)
410 points by jlemos on May 31, 2016 | hide | past | web | favorite | 79 comments

Fun article! I appreciate the author taking the time to go through the details, like formatting the source of the javascript, and figuring out the module system. Hacking on other peoples' websites is great fun. Everyone should try it, and I hope this article encourages a few people to!

I hack on Slack, which is complex enough that even small UI changes require hideous hacks. And since the javascript and CSS changes out from under you constantly, nothing ever works for long. I'm reverse engineering something to create an opportunity to produce code that runs against an API that will change without notice. But I get big, visible improvements I see every day, and the feeling of changing something that wasn't meant to be changed is just so unreasonably satisfying!

I'm crossing my fingers that this, or a comment like it about hacking, remains the top comment in this thread, rather than some warning... please be true to your name, please be true to your name, ... ;-). Just kidding I don't care. Fun article indeed.

A little while ago, someone used Facebook's last active time to track their friends' sleep: https://medium.com/life-tips/how-you-can-use-facebook-to-tra...

I remember a bunch of friends being upset about this. Apparently it's an outrage that your friends can do this, and perfectly fine that facebook probably does it all the time.

The scope of behavior Facebook is capable of obtaining is probably beyond comprehension for most users. Having a slice of that scope opened up and dissected publicly is quite creepy; despite intellectually understanding how much data Facebook has about them, actually seeing that data in use creates a much more visceral reaction that simply intellect can not create.

Having somebody intentionally look into your life, individually, because of some possibly perverse or unwanted interest in you is extremely creepy.

Having a large company store some data you generated in a server farm somewhere while a mindless algorithm does some math with that data to shuffle a few ads around for you to see is utterly banal and not creepy.

> Having a large company store some data you generated in a server farm somewhere

... and make it a available for somebody to intentionally look into your life, individually, because of some possibly perverse or unwanted interest in you

So, as a code example, fine---but I'd caution against actually using this with your friends unless you know they're okay with it. They will be acting under certain social expectations with regard to when and how people can see their typing notifications based on when and how they were able to see them before, and if you tweak your way into getting more access without your conversation partners knowing it beforehand, you're at least being sneaky, and possibly creepy or rude depending on the attitudes of your circle. The flow of the machine transmissions doesn't currently constitute something visible enough to hang social norms off of, so be careful not to treat it as the anchor for them by mistake. (This applies to other implementations of similar things, as well, such as "Psychic Mode" for Pidgin.)

Facebook users are apparently broadcasting the fact that they are typing to their conversation partners, why should you ignore that information? If you don't like that, disable that feature, or complain to Facebook if it is not something you can disable yourself (or don't use Facebook).

It can't hurt to raise some awareness of what you are invisibly broadcasting in terms of data on-line.

(I always liked how this feature could be disabled in Gaim and Pidgin.)

I suppose it would be even easier to make a script that blocks facebook from sending this information? Does it already exist?

There's always the tried and true method: Type your message in notepad, then copy and paste it into wherever when ready.

Yes, "Facebook™ Chat Privacy" Chrome extension:


Anyone else get an error when trying to add this extension?

>Package is invalid. Details: 'Could not load background script 'tracksy/tracksy.js'.'.

There's one called Facebook Unseen that works well. It's a Chrome extension that gives you a toggle.

Well, firstly, because they are not in a similar position to yours with regard to this fact unless they are of a similar attitude and skill for promoting these transmissions to human-side visibility. (If you know that they do have the same attitude as the one you expressed, then the "you know they're okay with it" exception applies.) There are a lot of things people "broadcast" in the physical world which are socially expected to be politely ignored as well.

Put another way, your statement makes perfect sense if you assume all software is actually a User-Agent in the traditional, ideal sense. But this isn't so, because even programmers don't generally have the spare cycles to rewrite everything they come in contact with, and non-programmers have an even more vanishingly small chance to do anything about it. Agency in the digital world is inevitably shaped by other people's decisions as represented in software, and social agency is shaped by how that software presents itself not just to you but to the people you're communicating with through it. When the state of the software doesn't exactly match the state as visible to the participants, the latter state prevails in a social context, and it's the responsibility of a polite conversation partner to not mess around behind the curtain unless you already know you're welcome.

Psychic mode is/was amazing. I used to love freaking people out when I saw the 'You feel a disturbance in the force...' message and quickly type 'Hi!'.

I love Pidgin so much. It's such a shame to see things move from "one client to rule them all" to hundreds of isolated, willfully incompatible clients.

Agreed. I would do the same thing.

Thanks Dad.

Not a fb user, but I partially agree with you here, in that you should already send this information to all your fb friends, so they can learn that their "social expectations" are not backed by what facebook gives away about them to tech-savvy users.

I mostly agree with that, yes, though I worry about message saturation too early on. Currently there's very little many users can do about it. If they have the idea shoved into their faces too many times while that's true, will they keep the information around and be more willing to change habits later if that will help, or will the shock just get muted to a dull roar so that they get used to it? Or will they decide to believe that this is okay in order to avoid the current-day social consequences of trying to act according to the opposite?

This reminds me of how people get arrested for pointing out security flaws in important systems, trying to help. Let's don't shoot the messenger.

I think there's a big difference between being arrested and being considered to be acting rude. There's also a big difference between pointing out a security flaw and continuing to actively exploit it. That's why I said I think it's fine as a code example, and I think it's fine to raise awareness. Just be careful about keeping this around in your main browser while you're chatting with many people; you might be risking trust if they find out.

I used to have a rule in my ad blocker that blocked the typing notification and read notification from being sent. Both of which are features that I despise

When typing a `POST https://www.facebook.com/ajax/messaging/typ.php?dpr=1` is sent for example.

Used to? Did you stop or does it no longer work? Was it as easy as adding that URL to your ad blocker blacklist?

I've started using a bundled app for messenger.com so haven't looked into blocking them for that. Also use the mobile Messenger app a fair bit.

I'd like to switch away from the Facebook platform, but it's seriously difficult to convert people away from it.

Just do it. Seriously, moving away from fb is important, but it won't be seen as such as long as people like you don't flat out refuse to use the crap. It's worked out extremely well personally, drastically cutting down on social noise, thus getting distracted less. Somehow, people who actually wanted to stay in touch, managed to over different channels (of which there's a fuckton; signal being my goto solution).

Why signal? What alternatives do you use / have you considered?

I'm still on facebook messenger but I mostly off facebook otherwise (and have settings to make it difficult to track pictures of me), and I'm curious to hear a good comparison of messaging software.

I know of various third-party IM clients which allow you to do this. Been a long-time user of Trillian myself, for which this was one of the cooler features back in the day. Allowed you to be notified of people typing, regardless of having an open conversation, and set up whether you wanted to send typing notifications always, only after having sent a initial message, or never. Was pretty cool to be able to say "Hi!" to someone just when they were about to message you. Most of my friends never figured how I did that, since their official clients never supported it so they didn't even know it could be a thing.

Haven't got Facebook myself, but I know Trillian fully supports Facebook chat and I suppose many other (free/open source) IM clients do as well. Such multi-network clients are in my experience great for slowly moving people away from pretty much any network, since they pretty much remove the distinction between them. I just add my friends and let the software figure out how exactly it gets the message to them. :)

Contrary to popular belief, Ajax is actually one of the best things to have happened for hooking up to Web Apps and scraping. You used to have to walk through the obscure rendered html, now you mostly get to access the raw data in json format.

is this really a contrarian opinion? i feel like this is a pretty obvious fact that it's easier to read network requests to scrape a website than parsing html

I'm not sure why, but many scraping tools handle javascript websites by emulating clicks and running the javascript.

I think the idea is that clicking on the button is less likely to change suddenly than whatever protocol they're running on top of AJAX.

In my experience internal layout changes seem to happen way more often than changes to the AJAX handlers.

Is there a specific tool you would recommend for doing this?

Chrome Dev Tools is pretty awesome. You can right-click a request and get an 'curl' request with cookies and everything that can be replayed on a terminal.

To read network requests? Charles proxy is great!

Huh this was a really interesting write up on semi-obscured code. I had never seriously thought about crawling through popular sites code like that, I'm definitely going to have to give it a go!

I would really enjoy more such in-depth explanations about major websites.

A bit like this guy's series on game engines: http://fabiensanglard.net/quake3/

The article is great and I enjoyed it. It gives good insight into React and inspecting minified web apps, however I'd like to point out two other ways you could go about it.

Sometimes you can't get inside the application, because the JavaScript is scoped in such a way that nothing leaks out. In those cases you can make an extension that runs before any script on the page, and hijacks native JS such as XMLHttpRequest or WebSocket.

In other words, declare your own WebSocket, and pass everything through to the real one, while intercepting any data you're interested in.

Also for this specific case, you could use Chrome's built-in API for extensions to intercept requests.[1]

As a benefit in some cases these methods can be less prone to breaking changes in the web app, but the opposite can also be true.

[1] https://developer.chrome.com/extensions/webRequest

Thanks for the extension. To quickly see what's going on you can also just monkey patch the native functions right in the console.

Fascinating article, and thanks for taking the time to research it and write up the results.

This kind of thing makes me think that Facebook et al will eventually push for a way of having closed source client-side scripting.

Good for us that there is no such thing as closed source client side logic in web applications (without installing extensions/plugins). You can only obfuscate.

Not yet there isn't. But I can imagine it being made possible, in the same way as EME is allowing DRM on media.

That's true to an extent, except a compiled binary is much harder to decompile compared to what the author has done in the article with obfuscated JS. In future, I imagine more websites will use WebAssembly for this reason.

Well, if they introduced some "special feature" that's available only when you install a certain plugin, I am sure millions of people will do it just because they can get the "special feature."

Browsers won't support plugins for long (extensions yes, but those are as open as websites).

Still, even a binary can be reverse engineered; you see it all the time.

How exactly is that different from non-web applications?

If you have the binary, you can reverse-engineer it.

Or maybe they'll build this out as a feature themselves. They implemented the dots in the first place; this is only a slight extension of the idea.

I think I recall this being implemented back in the AIM days. A "psychic" plugin for Pidgin or something like that.

I remember, back in the old days, messenger client ICQ would send your keystrokes as you typed them, exposing your spelling mistakes for all to see.

Unix talk was awesome, I wish it would return.

A somehow similar hack I want to do when I have the time:

When you have a WhatsApp Web tab opened, it keeps a socket connection opened that gives you information such as your phone battery level.

I really want an icon on the Chrome toolbar showing me that charge level.

You can install owntracks (http://owntracks.org/) on your phone, and configure it to publish the battery level (as well as your location) to an mqtt broker.

As far as I can tell from a quick glance (WhatsApp Web is blocked at work unfortunately), the battery level is transmitted once at page load. So, a constant indicator might not work well. Might take a further look later.

Created an account to say how much I enjoyed this article, thank you for sharing it!

The same thing has been possible with Pidgin for ages - it opened the chat window automatically when a contact started typing.

It was definitely an option for AIM, and I believe it was an optional plugin rather than a default feature. I remember freaking out friends in high school :-)

> I remember freaking out friends in high school :-)

That was the primary feature :) It worked for the MSN/Microsoft Messenger protocol as well.

Won't these minified names possibly change with the next JS deploy at Facebook?

They will. However, if you take a look at the final code snippet, you'll see we're not relying on any minified name. The public interface of modules remains intact through minification.

Ha I remember the same thing used to be possible with MSN if you used a third party client.

You could have it open a window when someone started typing to you, before they sent their message.

I also immediately thought about the MSN customization days! Is fb the customizable platform of this time?

For MSN it was also non-officially supported and it grew quite a community of devs who tinkered around things like this, would be interesting to see a renaissance of such projects.

    I think the biggest biggest takeaway of this blog post 
    is how easy it is to hook into the code of a
    well-structured modern web application.
So does this mean that spaghettification of your web application code will work as a higher barrier to enter against these kind of clever workarounds?

Admittedly, writing spaghetti code will make the programmer feel miserable, but does it really deter people from hacking on your code?

This is really interesting, and takes me back to a few months ago, when I tried to read the FB Newsfeed from the console. I did it more crudely, but I lack the knowledge the OP has, especially seeing how to integrate with React.

I had had an idea for a nice iOS app, which would in part rely on listing Facebook posts from your friends. I thought this would be easy enough, so I designed it before I prototyped, which is something I never do.

Sure enough, when I had finished the design and finally got to prototyping, I realised that Facebook simply no longer allow access to the read_stream API endpoint, unless you get authorisation from them (seems like no one does). Info here: https://developers.facebook.com/docs/facebook-login/permissi...

Fuelled by ingenuity, and because I had the design ready, I thought I'd try and simply load the user's news feed on a UIWebView, and read the data I need from elements in the DOM. I'm pretty sure this is against FB's ToS and wouldn't fly for long, but I kind of want to give it a go anyway.

I got to a place where I proved it works, but not always reliably and it's certainly hacky.

If you want to give it a go, load up https://m.facebook.com on your favourite browser, and then copy/paste + run the JS code in this jsFiddle (https://jsfiddle.net/Letwernb/), to your console.

It'll list whatever posts it finds on your feed, and give you some info on them. I believe at the moment I'm skipping ads and not so relevant posts, such as "friend shared a link".

I've also got a bit of code that lets me load more posts, until I've reached the 20 I need to display in the app. This is hackier still.

I've got some challenges though. Like I said, it's hacky and relies on FB not changing certain class names, and because the date for each post comes as a string ("2 hours ago"), I need to find a way to convert that back to a timestamp so I can re-order the posts.

Maybe there's an easier way to do what I was trying to, using a similar approach as the one described in this article?

  And there’s nothing like that excruciating feeling when you watch it disappear, never to be seen again.
True honesty here, that has never elicited that response in me unless I held a sexual and/or romantic interest in the person on the other end. Other times, it's usually annoyance and or ambivalence.

The article was very clever and interesting (also the trip down memory lane, I remember this being possible in MSN Messenger!) but the console warning was a first for me, it's even nicely localized. Do more websites do this?

Regarding the warning, a nice StackOverflow question with an answer for a Facebook engineer on the topic:


The github repository of the hack: https://github.com/Morhaus/facebook-sixth-sense

I've been using pidgin for this feature for years, people freak out when they don't see you typing but you say something before they even start... ;)

Neat tool! Are you able to make it record who/when for when the notification occurs but no message follows? It'd turn it from neat to useful imo.

That's a great suggestion! If you'd like to see this implemented, please open an issue. https://github.com/Morhaus/facebook-sixth-sense/issues

Glad you think so. Done!

Enjoyed reading through this, nice work!

Never thought about binding React Dev tools on Facebook and watch the DOM updates. Quite fun!

Is anyone try this extension? On my Chromium doesn't work.


We've banned this account. Personal attacks aren't allowed here, novelty accounts aren't allowed here, and snark is deprecated here, so please don't do these things on HN.

We detached this comment from https://news.ycombinator.com/item?id=11805831 and marked it off-topic.

Very cool!

Should have reported it and got your 10k.fb needs to add a flag not to send typing message if no msg in last 30 minutes.

Seriously? This is hardly a security issue.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact