How to become the Mayor of Krasnodar

As you may have guessed, the article will focus on Foursquare.

Foursquare statistics are impressive. Only in Russia a million people use this social network. You can find out if your neighbors use 4sq here on this chekin map .
')
One of the main "chips" 4sq are badges - special achievements that you get for visiting various places.
There are a lot of badges in total.



But we are interested in a very specific badge - the badge of the Mayor.

The badge of the Mayor is issued to a user who has the maximum number of regular checks in one place.
Two things make it valuable:

1. Avatar of the Mayor is displayed on the page of the place (if the place is popular, then it makes you unrealistically cool!);
2. For the Mayor, there are often various discounts and promotions.

To need to become a Mayor (except for membership in the EP)?

• the largest number of check-ins in the last 60 days;
• Only 1 check is counted per day.

In addition, 4sq has protection against check flooding:

• no more than 3 checks in 15 minutes;
• no more than 6 chekinov per hour;
• no more than 30 different chekinov in 24 hours;
• “Reset” the daily counter at 16:00 (Moscow).

As in real life, there are several ways to become Mayor, bypassing the "classic" options. About this and let's talk further.

Method one. Fake GPS coordinates.

In order for your checkin to be “counted” for Merstvo, you must be located directly with the required geoobject. It is easiest to do this by running the utility that emulates the work of GPS on your phone.



The advantages of this method are 100% guarantee of the correct check. Cons - 100% handmade.

The second way. Developer api.

Why mock the phone if you can send commands directly to the server via 4sq developer api !



Unfortunately, in the course of working with DevAPI, a number of significant shortcomings have surfaced: User -Agent curve in POST requests, some undocumented parameters are missing, and, most importantly, check-makers that are transmitted in this way are not counted for the Merstvo (apparently there is a filter for the same User- Agent).

The third way and the last. Spufim smartphone.

Unlike Instagram , 4sq uses a secure https connection to work. So all the traffic between the device and the server is encrypted.
To intercept https traffic from the phone, we need:

• Burp suite (enough free version) on the PC;
• ProxyDroid (Android) on the phone (or equivalent);
• Burp suite root CA certificate on the phone.

Add PortSwigger CA to the user’s certificate store on the phone (then don’t forget to remove it from there), enable the proxy mode in the Burp Suite on the PC, specify the proxy settings in ProxyDroid on the phone and wrap all traffic through our proxy.

In this scheme, Burp Suite performs a MITM attack on the https connection, and the trusted certificate Burp CA in the certificate store does not allow the phone to detect it.

As a result, we have https traffic between the phone and the 4sq server in the clear:



What immediately catches the eye is the presence of a heap of undocumented DeveloperAPI parameters: metrics, CheckinComposeActivity, VenueActivity, etc. I did not understand why they are needed ...
With the help of Burp'ov request generator, you can make sure that a repeated packet will lead to a repeated checkin => We are one step away from the cherished position!

We start avtochekinku

To automate the checkin process, I decided to use my home router with linux firmware and cron.
The final bash-script for the chekin in the Administration of the Krasnodar Territory looks like this:

#! /bin/bash curl -k -X POST \ "https://api.foursquare.com/v2/checkins/add" \ -H "Accept-Language: en-US" \ -H "Accept-Encoding: gzip" \ -H "Connection: Keep-Alive" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Host: api.foursquare.com" \ --user-agent "com.foursquare.android:2013040200:20130402:4.2.2:GT-I9100:release" \ --data "ll=45.0247440%2C38.9695560&llAcc=27.0&venueId=4bc4419874a9a593308fd5f6&shout=&broadcast=public&oauth_token=<bla-bla-bla>&v=20130402" 

Here ll is the latitude and longitude of the geo-object (you can find out through google maps), Acc is the GPS accuracy in meters, venueId is the identifier of the geo-object (which you can find out by looking at the address bar of any object on the 4sq website), oauth_token is your secret key , which can be found either through a package dump using the Burp suite, or through the DeveloperAPI (log in and send some test request using the Try it out! button).
The last parameter is the date the Oauth_token server generated. As you can see, my April token is still alive.

After I started cron with several bash scripts, I already managed to forget about foursquare. Therefore, it was especially pleasant one day in May to wake up at the same time as the Mayor of the Administration of the city and the region: