Jump to content
UBot Underground

You Think Cookies Are Bad? Check this out!


Recommended Posts

Twitter has implemented a new system to track users of their web-interface using a combination of javascript, DOM objects, and browser-based localStorage to store user session tokens. Your help exploring this will speed up finding a better solution, but so far it looks like uBot is somewhat powerless against this (kinda, read below).

 

If you want to see this in action, head over to twitter and after logging in do whatever you normally do to clear cookies[link]. You can browse away form twitter, or remain on the page.. as long as ubot is open the twitter session will stick with you.

 

Here's where things get tricky. I'm currently sifting through the 20k+ lines of javascript libraries twitter loads up to make the site functional. Somewhere in these libraries is the answer to killing the session cookie using their own functions. Until I can track down those functions(More eyes on this would be awesome!) I've come up with a somewhat 'clunky' method to achieve anonymity with Twitter.

 

Most of my bots for twitter are designed to login and stay on the same session. The ones I use to confirm accounts are the exception and needed a way to clear this session data. As I mentioned above it sticks with ubot as long as the window is open..

 

Here's how I'm doing things now..

 

The first thing I did was to modify my existing bot to make it's actions a one-time-only bot. Meaning, I clicked the play button and it masked it's useragent, cleared cookies(the ones we can at least), pulled a job from the manager, uses that data to login in confirm logout, then reports back to the manager with a status (confirmed/suspended/retry/review) before stopping. I compiled the bot as "TW-dbConfirm-Single"

 

Then, in the same directory I created a DOS batch file to auto run the single instance of the bot, delay, then loop:

 

:START
@CLS
@ECHO Launching TW-dbConfim...
@TW-dbConfirm-Single.exe /auto
@SET timeCt=30
:TIMER
@IF (%timeCt%)==(0) GOTO START
@CLS
@ECHO Launching TW-dbConfim in %timeCt% seconds...
@PING 1.1.1.1 -n 1 -w 1000 >NUL
@SET /a timeCt=timeCt-1
@GOTO TIMER

 

My ubot single-instance will run, do it's thing, and then close. When the program completes the batch file then moves on to the timer loop until %timeCt% reaches 0 and then jumps back up to START.

 

So there you have it.. Hopefully this helps you guys who work w/Twitter and we can help each other get past this ;]

Link to post
Share on other sites

It's amazing what some companies will do just to block our great software! Go figure.

 

nice work Super Dave! I am bit a javascript guy so my propeller does not spin in that direction.

Link to post
Share on other sites

Will running the shell command to clear tracks by process help with this at all?

 

In your shell node command run this file...

 

RunDll32.exe InetCpl.cpl,ClearMyTracksByProcess 4351

 

James

Link to post
Share on other sites

Naw James, I suspect that twitter is using Javascript sorcery to somehow keep a global object in the browser memory remembering who you are. Restarting the browser restarts the javascript engine, hence it logs you out. That's my theory at least.

Link to post
Share on other sites
  • 3 weeks later...

Navigate with post data

 

 

<form id="signout-form" class="signout-form" action="/logout" method="POST">

<a class="signout-button" href="#">Sign out</a>

 

<input type='hidden' value='' name='authenticity_token' class='authenticity_token' />

</form>

 

 

navigate to the twitter.com/logout with post data authenticity_token is null

should do the trick to clear session.

 

then wipe cookie data from pc.

  • Like 2
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...