Monday, March 15, 2010

F**king with Foursquare

Foursquare is pretty neat. You can post you location via phone or browser and get nifty badges for different things or become a mayor of a place if you check in to that location the most. Its also exceedingly easy to cheat at.

I only casually mentioned the idea of cheating to @Jack_Mannino and within a few minutes of emailing him the link to the API he was already traveling the globe at record speed.

Foursquare even has a nifty and pretty easy to understand API here:

The simplest thing you can do is checkin and post your location by vid or venue.

Formats: XML, JSON
HTTP Method(s): POST
Requires Authentication: Yes
  • vid - (optional, not necessary if you are 'shouting' or have a venue name). ID of the venue where you want to check-in
  • venue - (optional, not necessary if you are 'shouting' or have a vid) if you don't have a venue ID or would rather prefer a 'venueless' checkin, pass the venue name as a string using this parameter. it will become an 'orphan' (no address or venueid but with geolat, geolong)
  • shout - (optional) a message about your check-in. the maximum length of this field is 140 characters
  • private - (optional). "1" means "don't show your friends". "0" means "show everyone"
  • twitter - (optional, defaults to the user's setting). "1" means "send to Twitter". "0" means "don't send to Twitter"
  • facebook - (optional, defaults to the user's setting). "1" means "send to Facebook". "0" means "don't send to Facebook"
  • geolat - (optional, but recommended)
  • geolong - (optional, but recommended)

So a sample request would look like:

POST /v1/checkin?vid= HTTP/1.1
Authorization: Basic
Proxy-Connection: Keep-Alive



It being a POST you'll have to write some code to handle the Content-Length or use Burp Repeater or Metasploit.

Have fun traveling the globe from your living room.


No comments: