Friday, August 20, 2010

Spoofing Facebook – How to use Places to create an alibi

If you haven't heard, Places is the latest anti-privacy feature that has been added by Facebook to completely expose your every move. PCWorld has a great writeup on the issues surrounding this...

There are numerous privacy issues with Places (your boss knowing you are not at home when sick, your 'friends' knowing when you are out so they can rob you, etc.). However, what if you could spoof your location and turn Facebook Places into your alibi?

Turns out this isn't all that difficult! The following lists the steps to do this...all from your browser!

1. Setup a proxy PC using CAT, Burp, etc. This will allow you to capture the request coming from your mobile device as it passes to Facebook. I used CAT in this situation.

2. Configure your browser to point to the proxy port. The following illustrates this in both Firefox and the iPhone. Note: If you use the iPhone, you will have to allow the proxy to bind to your network interface, as shown below.

3. Setup your proxy to intercept the request. This is easy to do with CAT – just click the 'Intercept Request' checkbox.

4. Log into and click on the new Places tab or the new icon representing the map pointer next to the "What's on your mind?" field and allow your browser to share your location.

5. Use to find an interesting place and obtain the GPS coordinates.

6. In the Places page, click on the Add button. This will generate a request that the proxy will capture and looks something like the following. Allow this request to pass through.

7. Enter a unique name (description optional), hit the Add button and intercept the request. This will generate two requests. The first contains the new location as part of the POST data. Modify the GPS coordinates in this request to the acquired coordinates you have obtained. In the second post, update the GPS coordinates in the URL. Finally, let the browser finish up with a few requests and you will be rewarded with a new location. The following images show the updates and the final location.

8. Finally, click the Check In button to set your Profile to the new location. NOTE: Facebook has some logic built into the backend to prevent globe hopping. However, it is fairly flexible. You will again have to modify the POST request details to your preferred GPS coordinates.

If you hover over or click on the location, you will see a map of the area – both of these are sitting off the coast of New Jersey…

So, with a little URL request modification you can create a new location, move yourself to that location, and tell the world where you are! Keep this in mind if you ever have the need to convince the world that 'Yes, you really were at that rally' or "No, I wasn't with so-and-so! See, Facebook had me in another town!". Oh the fun.