Twitter and Facebook Poster.

[NikoDiakos]

So as i was watching the latest WAN show i saw luke saying that he would prefer a program to do the facebook and twitter posting simultaneously without the use of faebook or twitter api and thats quite easy.I mean we could use java and jsoup to create a program that will first of all login to facebook and twitter with the correct credentials thus populating the coresponding cookies and after that would post a spesific text in both media so linus wouldnt have to remember doing it.The project it self isnt so dificult i was just wondering if anyone else was intrested in this idea.

[Primefoxer]

40 minutes ago, NikoDiakos said:

So as i was watching the latest WAN show i saw luke saying that he would prefer a program to do the facebook and twitter posting simultaneously without the use of faebook or twitter api and thats quite easy.I mean we could use java and jsoup to create a program that will first of all login to facebook and twitter with the correct credentials thus populating the coresponding cookies and after that would post a spesific text in both media so linus wouldnt have to remember doing it.The project it self isnt so dificult i was just wondering if anyone else was intrested in this idea.

Do you mean interested as in making it? It is not difficult at all to create such a system, because there are plenty of libraries for all programming languages that make it easy as hell to automatically login, navigate and click a button. However it's a great way for new software engineers to explore and have fun with as a side-project. Especially if you want to try a new language. (My personal opinion)

But I'll be frank and say that I have absolutely 0 interest in making it.

[NikoDiakos]

No i am intrested in developing it unleast the code for it because obviously an executable would be suspicious from a member with 5 posts.It isnt a dificult task anyway but i would prefer  it being done discretely because i dont know if it would create problems for luke and linus (terms of service).

[Primefoxer]

4 minutes ago, NikoDiakos said:

No i am intrested in developing it unleast the code for it because obviously an executable would be suspicious from a member with 5 posts.It isnt a dificult task anyway but i would prefer  it being done discretely because i dont know if it would create problems for luke and linus (terms of service).

You can easily just make a dummy twitter and facebook account for testing purposes and put the project on github or bitbucket so other developers can check your work. It is also your personal project, not the one of LMG. I personally do not see any issues making the program and releasing the source code, it's not new and not even dangerous. It simply logs in with the username and password provided, navigates to post a message and clicks the button automatically. Unless you are creating a spam bot.. go for it.

[NikoDiakos]

Ok both login mechanisms seem to be working despite the trouble i had with the facebook initial cookies that are present in the javascript and not in the cookie section of the comunicaition packets (took me 2 hours to figure it out).Twitter and facebook login methods are working now i would like to ask where does linus post the WAN updates i mean in his twitter profile and facebook profile or in some other form of page like some special facebook or twitter page 

[NikoDiakos]

If anyone else is interested in the login mechanisms i will post them in my github.

https://github.com/nikodiakos/Facebook_Twitter_Poster

[SnakeDrone]

Having "automatic" login is huge security issue, since your script needs your login information. That's why Facebook, Twitter and other social medias have APIs... and there is allready countless numbers of apps able to do this and more. Like Hootsuite (https://hootsuite.com/) for example.

[NikoDiakos]

On 9/11/2016 at 9:31 PM, SnakeDrone said:

Having "automatic" login is huge security issue, since your script needs your login information. That's why Facebook, Twitter and other social medias have APIs... and there is allready countless numbers of apps able to do this and more. Like Hootsuite (https://hootsuite.com/) for example.

Well all APIS need your login informaition or some other sort of athenticaition method.Plus the post requests can be made (or are i am not sure if i have implemented it) to get over https so mitming this traffic wouldnt do you any good and tho you are correct that there are a lot of already premade libaries that use official facebook and twitter apis those are completely controlled by the facebook and twitter correspondingly and can be used by many different ways to monitor your activity something that i personally wouldnt trust. A browser or the cached browser on the other hand that jsoup offers is mutch more versatile and discrete.

And by the way my script is a basic form of athenticaition if i were to create an autologin function i would never use the password i would use the cookies that i created the time i loged in. I am not sure what those "huge securitiy issues" are but i cant see any way someone could attack the traffic my script generates and get the passwords.

[mikat]

On 11-9-2016 at 8:31 PM, SnakeDrone said:

Having "automatic" login is huge security issue, since your script needs your login information. That's why Facebook, Twitter and other social medias have APIs... and there is allready countless numbers of apps able to do this and more. Like Hootsuite (https://hootsuite.com/) for example.

OAuth?

https://dev.twitter.com/oauth

facebook has its own api:

https://developers.facebook.com/docs/facebook-login/web/accesstokens

[NikoDiakos]

Again i know there are countless libraries that do the exact same thing however i havent found any that dont use the official APIS so you can be a litle more versatile with your comunicaition.My purpose wasnt to create the facebook login program  originally it was to transfer files with a text based comunicaition throw some services like 0.fb(securely)  or other free browser based gsm messaging mechanisms.I just published the login mechanism if someone wanted to implement it in their own way.Your free to use whatever library you trust but i prefer creating my own.

[SnakeDrone]

On 15.9.2016 at 2:55 PM, NikoDiakos said:

Well all APIS need your login informaition or some other sort of athenticaition method.

APIs use authentication where users are not required to share their passwords with 3rd party applications, increasing account security. The applications signed request both identifies the application’s identity in addition to the identity accompanying granted permissions of the end-user you’re making API calls on behalf of, represented by the user’s access token.

 

And anyway, it would break Facebook TOS
https://www.facebook.com/legal/terms
3.2. You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our prior permission.

 

On 15.9.2016 at 2:55 PM, NikoDiakos said:

there are a lot of already premade libaries that use official facebook and twitter apis those are completely controlled by the facebook and twitter correspondingly and can be used by many different ways to monitor your activity something that i personally wouldnt trust. A browser or the cached browser on the other hand that jsoup offers is mutch more versatile and discrete.

Connectivity to the APIs is allways server-side, meaning Facebook, Twitter or whatever never has access to your browser information because of it.

...If the page also has something like a Facebooks "like us" -button (javasript) then that's a different story, but that has nothing to do with the API.

 

 

On 15.9.2016 at 7:47 PM, mikat said:

OAuth?

https://dev.twitter.com/oauth

facebook has its own api:

https://developers.facebook.com/docs/facebook-login/web/accesstokens

Yes, APIs are more secure, as I said
But OP said "without the use of faebook or twitter api"

[NikoDiakos]

1 hour ago, SnakeDrone said:

Connectivity to the APIs is allways server-side, meaning Facebook, Twitter or whatever never has access to your browser information because of it.

I am not refering to browser informaition some of the facebook libaries and twitters too use the acess token witch are directly connected with the developer profile.And they as well can be proven a security flaw in many cases we had cases of malformed acess tokens and even correctly generated ones back when it was first implemented your just puting another means of athenticaition into the login process witch can it self be flawed.

And even then the server has other means to indentify your ip adress, open ports,  i am not aware if you can use a proxy or vpn to handshake via the api i will search it tho in java its 3 lines code.

Second you telling me that the APIS are more secure than the main way of login (via the htts protocol) that is being monetorized all day and any vulnerability in it would be on the spot fixed itsnt logical.The main core of all the facebook its html(xml or other hyperlink based protocols) the mobile apps are based on it as well.

And i havent understood what is the security your refering to encryption on the in between end hashing on the database or a security flaw in my script.

And thirdly i am not automating the means of login something like that would require me bypassing the image verificaition something that is highly illegal.If you dont verify correctly on the 4-5th time my script doesnt work and it was intentionally implemented that way.

Again i am enjoying the converaition and i would like to know spesificly what your refering to not for any other reason but to fix it or implement it in a better way.

 

[SnakeDrone]

1 hour ago, NikoDiakos said:

I am not refering to browser informaition some of the facebook libaries and twitters too use the acess token witch are directly connected with the developer profile.And they as well can be proven a security flaw in many cases we had cases of malformed acess tokens and even correctly generated ones back when it was first implemented your just puting another means of athenticaition into the login process witch can it self be flawed.

ah, yes on backend/developer side, I was thinking about the user side.

Sure there has been issues, like allways on development, that happends.

 

1 hour ago, NikoDiakos said:

And even then the server has other means to indentify you ip adress open ports your running a lot of background code behind the nicely implemented methods for example i am not aware if you can use a proxy or vpn to handshake via the api i will search it tho in java its 3 lined code.

Server IP and some other info, yes. User IP and other info, no. (obviously if you are running the server on your own computer, this doesn't apply)

I haven't tested FB API with proxy or vpn between server and FB. But at that point you would have to trust the proxy or vpn provider, on top of Facebook.

 

1 hour ago, NikoDiakos said:

Second you telling me that the APIS are more secure than the main way of login (via the htts protocol) that is being monetorized all day and any vulnerability in it would be on the spot fixed itsnt logical.

And i havent understood what is the security your refering to encryption on the in between end hashing on the database or a security flaw in my script.

That's wrong question. The correct one is:

Do I trust APIs and manual (https) login more than giving my login credentials to 3rd party application for "automatic login"?

And the answer obviously is that I trust APIs and manual (https) login more.

 

I understand that if you code it yourself, it's not technically "3rd party application", but if anyone at LTT uses it, then it literally is.

The security issues I mentioned rise more from having to trust 3rd party application and the server running it rather than fear of man-in-the-middle type of attacks.

But again... Running this on you own computer for yourself this wouldn't really be a problem, but as soon as it's provided as service, then it is.

 

1 hour ago, NikoDiakos said:

And thirdly i am not automating the means of login something like that would require me bypassing the image verificaition something that is highly illegal.If you dont verify correctly on the 4-5th time my script doesnt work and it was intentionally implemented that way.

Wrong.

If you login without user action, that is defined as automatic login and as such it's prohibited by Facebook TOS.*

Bypassing any security features is on another level and yes that's illegal in some countries.

 

*Note: I did not check the code you submitted, nor am I very familiar on how jsoup works (if you even ended up using that). So I'm not commenting on how your script would be defined. The comment is about general defenition of "automatic login".

 

9 hours ago, NikoDiakos said:

Your free to use whatever library you trust but i prefer creating my own.

I totally agree with this. I use my own library... but it uses the APIs

 

1 hour ago, NikoDiakos said:

Again i am enjoying the converaition and i would like to know spesificly what your refering to not for any other reason but to fix it or implement it in a better way.

[mikat]

5 hours ago, SnakeDrone said:

Yes, APIs are more secure, as I said
But OP said "without the use of faebook or twitter api"

how are they more secure?

and sorry i didn't see that in OP's post, my fault

 

[NikoDiakos]

13 hours ago, mikat said:

how are they more secure?

I would like to know the same as well snakes main argument is that facebook controlls third party programs sutch as mine with acess token witch are connected to a developer profile my argument is that with sutch a small program and without the includance of libraries i couldnt do anything to get the credentials even if i wanted to .

I havent understood what is that server side that he is refering to and how it doesnt invole the client in the communicaition 

 

15 hours ago, SnakeDrone said:

Server IP and some other info, yes. User IP and other info, no.

How can an API not make any sort of comunicaition between the server(facebook) and the client when it is refering to a web / multinetwork applicaition ?

 

I would also like somone who is familiar with java to inspect my script so its not said only from me.