Hacker News new | past | comments | ask | show | jobs | submit login
TakeThisLollipop - really clever/creepy use of the Facebook API (takethislollipop.com)
440 points by wesleyzhao on Oct 18, 2011 | hide | past | favorite | 133 comments

Looks like it's connected with the ad agency Evolution Bureau ("EVB") (clients: [1]), the same people who did the Office Depot-braded "Elf Yourself" sensation [2].

Why do I think it's EVB? This is the only other site on the same IP as manipulation.com, and manipulation.com is registered clearly to EVB. The agency's creative work is consistent with this project too.

[1] http://evb.com/work/ [2] http://elf.evb-archive.com/

It's not Evolution Bureau.

It was Jason Zada (http://jasonzada.com/) a Commercial and Music Video director who may have one point been at EVB (and was the one who registered manipulation.com) but apparently he's now at Tool of North America.


It's at least the same director as Elf Yourself, according to the actor in it (https://twitter.com/#!/billoberstjr/status/12611132567074816...).

On Twitter, EVB's CEO said they didn't do the site.


any idea who the client is? i searched for "evb google" but didn't come up with anything...

Funny, my hosts file seems to interrupt the flow of this prank slightly.

We'll see how my s.o. reacts to it, but on my machine it does absolutely nothing.

In case you're wondering what is in my hosts file: www.facebook.com facebook.com connect.facebook.net facebook.net fbcdn.net www.fbcdn.net badge.facebook.com blog.facebook.com en-gb.facebook.com developers.facebook.com touch.facebook.com de-de.facebook.com stories.facebook.com it-it.facebook.com hu-hu.facebook.com peace.facebook.com et-ee.facebook.com az-az.facebook.com 0.facebook.com apps.facebook.com
A nice side-effect of this seems to be that the web has become a lot more responsive. No more 'like' buttons popping up all over the place.

edit: regarding my s.o. it's been an interesting morning, this app seems to have opened her eyes to facebook in a different way. No more apps.

You can achieve a similar thing with the ghostery extension.


Wow cool thanks for the link. Just installed it.

Ah that's why I see nothing. Nice!

thanks, also didnt know about this one - was using 'abine' which is similar. I like the ghost icon though :-)

Is it actually funny or surprising to you, given your hosts configuration, or did you just want to mention it?

Surprising, because I'd totally forgotten about it and really wanted to see what this was all about (after reading some of the comments here).

So I thought to myself 'ok, this once' knowing I'd be sticking my head out. It took me a minute or two to realize the cause and I thought that was a nice side-effect of solving this at the DNS layer, even when you're momentarily stupid this will still create enough of a barrier that you'll stop to think a bit longer.

I didn't know about the ghostery extension, so thanks to the person that posted that, that's another good solution.

FB has had its use for me (it found a bunch of long lost people), I haven't been back since.

i'm guessing that you actually have a bunch of other sites blocked in your hosts file, as well. on the assumption that you do, do you ever see any network performance issues related to this? i used to maintain a rather large hosts file for this purpose, but eventually gave it up because i suspected that it had started doing more harm than good.

No, facebook has a special place in my heart, which is why they got 'special treatment'.

Other than the usual suspects and FB my host file is empty.

I can see how a huge hostfile would impact performance, and I would advice against using it to block a very large number of hosts.

Some of these hostnames are quite arcane to me (peace.facebook.com); did you get them from a list somewhere or did you identify each one of them yourself?

You're better off using a browser extension or other technique.

Facebook uses a lot of subdomains like static.ak.fbcdn.net and there's no way you can include them all in your list.

Good point. I'm pretty old school so the hosts file was my first line of defense. I didn't know about ghostery until this thread so that's installed now as well.

Just point your dns cache to an instance of tinydns that is configured to be authoritative for fb's domains.

There was another discussion on this point, where a few others were added: static.ak.fbcdn.net www.static.ak.fbcdn.net login.facebook.com www.login.facebook.com fbcdn.com www.fbcdn.com static.ak.connect.facebook.com www.static.ak.connect.facebook.com

on Opera it just shows a 'like' button. Any ideas on that?

Actually no one really cares what your host file looks like.

One of the problems with speaking for everybody on a forum with 10's of thousands of active users is that invariably you don't.

Your opinion does not equate to everyone's opinion. I'm quite interested in his hosts file (because of blocking like buttons).

This reminds me of a really good bash.org quote: bash.org/?99060

I'm quite interested. Mostly because I use similar Facebook blocking techniques so its nice to know what others do too.

I saw a Second City improve last winter, and one of the better sketches exploited Facebook similarly, albeit in a more lighthearted and humorous way.

Prior to the performance they would find an audience member's Facebook page using their credit card or mailing address (presumably), and write a sketch based on the details extracted from his or her page.

They incorporated the lucky patron's inevitable reaction into the sketch under the pretense of reprimanding him for disrupting the show. After letting him squirm a bit under the spotlight, the punchline was projecting his Facebook page on the screen across the stage.

Care to explain for those without Facebook accounts?

Indeed. So basically someone made a very high quality video of a creepy dude in a dark room creeping on Facebook and getting really mad. Then (with some special effects they used) they make it look like (almost perfectly) the guy is viewing your profile page, looking through your photos, and creeping on your friends. Then he maps your last known location on Google Maps, looks right at you, and drives over to your house.

It's eerily realistic.

Disclaimer: not my project, found it on the web.

not to mention that, in the car, he has a print out of your profile picture, and a screwdriver (or is it a box cutter) in his hand as he exits the car.

I'm betting its a lollipop in his hand. The video doesn't make it clear but the ending title screen shows a lollipop taped to something so I feel like that was a hint.

" ... Just upload lots of pictures of cats, then it's LOL funny." -Jason Zada

It's an example of how much personal data you actually leak through Facebook illustrated through a movie of a crazy serial killer browsing Facebook, with nicely done overlays of your actual personal data that the app pulled from you.

  movie of a crazy serial killer browsing Facebook
Serial killer? That's just your assumption, based on video editing. Remember the scene in Men in Black, where Will Smith is asked to shoot cardboard aliens and shoots a little girl instead?

HN Against Prejudice! :-)

(showed TakeThisLollipop to my gf, who freaked out and immediately deleted all fb apps... so prejudiced!)

Since when does "leak" equate to "explicitly grant permission to access"?

It is not like the app is getting information that some random hacker can access, at least if you have any privacy controls set on your Facebook profile.

Right, because Facebook would never change their privacy policies on a whim without giving users warning ahead of time. At least they probably won't. Anymore. Well, only if they really need to.

No, it's getting information some random website can access by offering you a picture of a lollipop. Stranger danger?

no, not really, considering you have to explicitly allow the app to access all that data...

Exactly, and you did allow it to do that on nothing more than an image of a lollipop and endorsement from this community.

Except I didn't. The confirmation page was enough for me to drive home the point.

that seems reasonable to me. if something gets to the top spot on HN, I'd think its worth a try. some other random app? much different story.

Yes but I'm sure many people did... And it wasn't hard to do.

I guess this is a teaser trailer: http://www.youtube.com/watch?v=-xBA0mpWuuo

Can someone make a video of this thing ?

thank you but... that guy's screen is just white

I imagine that is the video that gets overlayed with the info gathered with the FB api

Definitely not as dramatic with the blank page.

For me, this was rendered hilarious by some of the images people have tagged me in on Facebook that don't actually have me in them. Seeing the serial killer erotically stroke a picture of a T-Pain coffee mug is rather amusing.

That being said, is there any way I can be sure besides the disclaimer that this isn't actually saving/using my personal data outside of the video? I guess that's part of the point, that I really can't, though.

I don't have facebook. Anyone mind writing a tldr?

It's a facebook app. It asks your permission to access pretty much everything on your profile and when you finally accept it cuts to a fullscreen, high production video of an incredibly creepy actor on a computer in a really dingy room. It then cuts to the computer screen and shows the creepy guy scrolling through your profile page in a very realistic manner as well as clicking through some of your photo's and friends. The guy looks more and more irritated and angry and he goes and looks up your location on google maps (with mixed results, mine was relatively close).

It then cuts to him driving with a picture of your profile pic stuck to his dashboard, the whole time you get the feeling this guy is tracking you down with the intention of hurting you.

Really creepy and incredibly well done and surprisingly not obvious in terms of what they are promoting.

What are they promoting?

No idea to tell you the truth. This is probably one of those 'build the hype, keep people guessing' campaigns and eventually it will all come out.

There really was nothing in the clip that indicated any form of a product or brand. It could be a movie teaser or a teaser for a TV show and if it is, I for one will watch it.

Whatever it was they should have anticipated the popularity a bit better, they seem to be down/very slow for hours now.


It's extremely creepy -- I watched a video on YouTube rather than sharing my own data, but I can imagine it.

They should consider adding a "trigger" warning, though, so rape survivors and so on can realize they're signing up for something that may be extremely upsetting and has nothing to do with lollipops.

Dunno if they thought about it and don't want to ruin the surprise for people who'll have more expected responses; but it's unfortunately one of those things that's going to be passed around with no more description than "hey check this out it's very educational".

Here's a video of what happens after you log in:


Thanks for the YT link since the site is down and I was curious. It seems to be very professionally done, I'm quite impressed.

thanks. no-way i was going to allow some random site access to facebook ... video/insertion is pretty well done indeed! :-)

This actually just freezes for me/nothing happens after I click "Connect with Facebook". Chromium 12.0.742.112 (90304) Ubuntu 10.10.

I had the same. I looked at it in chrome inspector and it turned out the reason was that I didn't allow the 2nd set of access rights, because it said it was optitional.

I didn't allow them and it still worked for me.


I use both Adblock Plus and Better Popup Blocker. But both disabled/site allowed. :-/

Same for me on Chrome + MacOS. I opened it in incognito mode and it worked.

Linux end-user issue #988823422

Why would anyone authorize Facebook access for a random site like this? No privacy policy, no about page, no terms. You have no idea what they're actually doing with your data.

Maybe that's the point of it - most people won't think twice about authorizing, but might realise what they've opted into once they see it.

Sorry, but seeing a privacy policy and about page is not a valid way to judge if an app is malicious or not.

create a fake one-time account? :)

That was amazing. You know its a joke.. but the production value is so high your can't help but be really creeped out by it. I have removed every app which I have signed up to from accessing my Facebook account. I have also bolted my front door.


I know, it's effing creepy.

I wasn't planning on sleeping tonight anyway!

I gave the guy all those details and pics while authorizing the app!

There's no way too see those things without being my friend.

There's at least one other way... make a creepy viral lollipop site, get it on the front page of hacker news, et al.

This. It's very well done and all, but what is the point? That if you explicitly allow access to one specific application, that application will have access? Or is the creepy guy supposed to be the app developer?

A better idea (maybe not possible, I dunno) might have been to have different things happen based on your privacy settings. That would actually call people's attention to something they should care about, instead of just fear-mongering to everyone regardless.

If you care about your privacy settings and lock them down. you are (probably) not the target audience. And part of a minority anyway.

Speaking of which, how many of your FB friends would grant ~impersonation~ rights to an app without lots of thoughts? And - could that app then, using your _friend_ as proxy, play this particular game of fear with you?

Well, how many other seemingly innocent (or not) apps did you give the same permissions to ?

One interesting thing about how this was designed, it for some reason doesn't get your location from your facebook profile. It uses your IP address, which led to hilarious results because while my facebook rightly says where I am, I was using a SOCKS proxy to access this in a different city and when it showed him looking at a map it showed the route to my SOCKS proxy instead of me. I guess I'm safe and the crazy guy won't kill me :)

Not by IP, FWIW. I'm in Mountain View but the guy seemed to want to find me in Reykjavik, Iceland, where I'm from. (I moved to the Bay Area a month ago, but haven't update my FB)

This guy over here [1] claims the video tracked his last foursquare check-in. I'm guessing the location algorithm tries to find a best guess of where you might be — hence the inconsistent results.

[1] http://www.jenders.com/2011/10/18/take-this-lollipop-and-the...

I don't think the Facebook API allows you to find your location (although it is possible to retrieve your Facebook location by scraping the Security page for your current login session (which displays your location)).

Also, the location data that is displayed on that page is kind of inaccurate (it says I'm in another state).

I wonder if it would be possible to for the app to send you an sms (or even call you!) with some creepy "I'm outside, baby" message at the end of the movie.

Very clever but I imagine it would be cost prohibiting given the amount of people that will try the app out.

The call is coming from inside the house!

That was very, very well done.

How did they do video compositing on top of an embedded browser window in Flash?

Perhaps they pre-rendered the webpages server-side using WebKit or some such and sent a screenshot to Flash....

Flash has the capability of incorporating dynamic content in flash-driven movies. See how to do it (easy example), here:

UPDATE: better link here: http://flashexplained.com/actionscript/loading-external-jpgs...

My guess is that this is an advertisement for LCD monitors... the guy went crazy because he's still using a CRT... poor fella.

Revoked access to tons of applications.

Likewise, found about 30 that I had allowed access to - no idea when I did half of them! All gone now!

Same here. And when I was at it I looked at Twitter.

This is a genius idea. I'm sure it will go viral and everyone (including their mother) will give this site a test drive.

I can only assume that it is designed to do one thing - data mine.

It has the power to post on your wall as well.

Removed the app before they pull that one....

It's nice that you can disallow the permissions granularly, for example, I didn't mind it accessing all my data, but posting AS me on facebook? No. Disabled. Happy days.

This could be exactly what I need to finally get my wife off Facebook....

The production value is very high. FB Open Graph Protocol meta tag found in source:

  <meta property="og:type" content="tv_show"/>
Perhaps it's a viral media stunt to promo a new TV show.

I'm not sure that it is, but now that you mention it I feel like this could actually be a REALLY effective viral media stunt for a new TV Show/Movie...

Here's a similar thing from summer 2010. You and your friends inserted into a horror movie trailer.


It looks like this was made by Jason Zada (https://twitter.com/#!/jasonzada) according to a tweet by the actor (https://twitter.com/#!/billoberstjr/status/12614080094496358...).

If you don't want sites like this to view your stuff, please also set the privacy setting for applications your friends use to a better one. Or else you would be next.

P.S. Since you connect to that application by yourself, that is pretty clear that they can read your friends list, your feed and post as you.

What exactly happens after the one hour on the end? Can't afford to wait right now

he knocks on your door

Yeah, good luck to him finding "X5, Cardiff".

There isn't an "X5" postcode here, nor is it anywhere near where I was last time I did a location based update. The inaccurate google map thing is what made me lul.

I /do/ share location with Facebook, but I sent the guy off looking for " , (null)". I doubt he'll get there soon.

Yeap, they should limit themselves to a higher zoom level. I'm guessing they used geoip, and it barely close.

yeah, according to him, I study and work at undefined, undefined.

nothing, the clock simply runs out...

will report back tomorrow with a follow up comment ;)

There was something similar with "Notruf Deutschland": http://www.notruf-deutschland.com/teaser/

They had a similar "approach" :)

Still, very nicely done!

Oooh! Well played. I really want the candy, but I know they're going to do something bad with the information they take from me... I'm still tempted.

Ok, so I did it and now I'm never sleeping again.

Brilliant.. could help people think more clearly. Another play on these issues, http://youropenbook.org

Would seem like the viral success has overloaded the site... I can't get it to play any longer, and it worked an hour ago.

What happens when the countdown gets to zero?

I tested this out for you. It just stops at 00:00:00 and nothing happens at all!

Google street view would have been a nice addition too, depending on the accuracy of the geo lookup.

Quality is fantastic, I too am curious as to how they are generating the pages into the movie.

It killed the mood when he searched for ,(null) in Google Maps, but otherwise pretty freaky.

I don't think I get it... when I let a facebook app access my facebook, it can... access my facebook and look at my pictures? anyone can look at my pictures, anyways. i'm missing something here

I seriously hope you're not serious.

1) Of course, you _can_ allow everyone to see your pictures. That's not necessary though and one of the (many) privacy concerns this site seems to focus on. If you share your pictures, you share a HUGE amount of data. Ignore the passed out/joking stuff, you might tell me a lot about your place (expensive stuff in the background? pictures that show a street name?) and your habits (always going to his parents on weekends. currently on vacation). This is, in theory, very easily exploitable, for someone with a criminal mind and the balls to pull of a stunt.

2) Regarding Facebook apps: Well, don't allow those to access your data? You saw what this app did (and automatically, without a human involved). It can exploit the date your coughing up every day in ways that you probably didn't think about before.

Bottom line: If you're the 'share with everything and play any FB game' type this might not shock you, but others might wake up and stop being very careless with their own private data.

I think it's that you're giving them access based on a picture of a lollipop, while having absolutely no idea who you're giving that access to. Never take candy from strangers.

A little video that gives you the feeling of this, without the personalization:


Amazingly well done... Now, I'm going to cry myself to sleep.

In the same position. Had the new Walking Dead season playing on the TV in the background. Great, great combination.

That is impressively creepy. Wow. Anyone know the background?

He is seriously pissed off that you are advocating the use of Emacs over vim in some Facebook group.

haha, good one.

My 64bit flash player 11 on Linux crashes right away!

Doesn't work for me? Do I not have enough info?

Hilarious that the content & domain name could lend this to being classified, in some filters, as a “shock site” ;)

Mobile Safari: "You need at least Flash Player 10 to view this page."

Apple saves the day again!

Keeps cutting out part way through, but VERY well done.

Geoffrey Grosenbach is next. Oops

crashes flash

This is a pretty disruptive use of the Facebook API. Personalized entertainment content, I love it!

Good luck finding me in the middle of the Indian Ocean dork

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact