Instagram's ongoing fuckery

Ok, well, I have completely failed to MITM Instagram on either iOS or Android. If you can show me how to do that, it would be greatly appreciated. However, if your answer isn't of the form "I just did it, and here are the steps I took" then you're probably just finding the same years-old instructions that I've already tried.

I am willing to throw money at this problem, because right now my nightclub has no promotion on Instagram, and sadly, that matters. But I would like a cheaper solution than "hire a full-time staffer to re-post everything by hand".

I have emailed every company I could find who offer a post-to-Instagram service (Later, Hootsuite, Onlypult, Crowdfireapp, Iconosquare, Bufferapp, Skedsocial, Sproutsocial) and asked them:

Does your service provide the ability to post to my Instagram Business account via an API? That is: I want my server to contact your site and say "post this image or video to my Instagram right now", without me needing to use a GUI or web app to manually schedule it.

Every one of them said "no". Though most or all of these companies appear to have access to the sekrit Facebook API, all of them require you to manually schedule each post by hand in their custom, idiosyncratic online calendar.

Previously, previously, previously.

Tags: , , , , , , ,

20 Responses:

  1. Nobody says:

    There is a project called FLUME which is a MacOS desktop Instagram client that is not official. It's published int he AppStore and uses the IG API's to function yet it is not taken down or anything. Unsure how they're getting away with this but if they can do it so can you? It's not a solution you're looking for but it's interesting to note. Maybe contact the authors about your idea for a better solution since they seem to have done it so well.

    https://flumeapp.com

    • jwz says:

      Worth a look, and I was able to MITM it, but they won't take my money. Well, they took my money but the auth code they sent me doesn't work, and you can't upload anything without paying them. Also their web site has PHP errors atop half of the pages, which is a real good look...

    • jwz says:

      So these guys screwed up their website config badly enough that nobody was able to upgrade to the "Pro" version of their product -- they were sending back PHP errors in what should have been JSON data. Fortunately I was able to MITM and intercept them to convince their app that it had received authorization, which then let me post with it, which then let me MITM that transaction and figure out what new endpoint they were using.

      So yay, I got my thing working again. Our long national nightmare of no Instagram posts has finally come to an end. For now.

      Looks like these guys also reverse-engineered the protocol rather than getting themselves into the parma-beta program. They impersonate an Android phone.

  2. Walter says:

    I would not be even remotely surprised if Mechanical Turk was a part of these services' workflow.

  3. wadim says:

    If the API route looks hopeless, than maybe the browser route with automating headless browser could work?

    Just found: https://github.com/shriar/Insta-post ...

  4. Glaurung says:

    I am sure there is a reason you can't use a automator script on your own computer to robotically see that a new image has appeared in the promotions directory, so it launches safari, goes to instagram, clicks the upload button, etc?

    In other words, since Instagram refuses to make itself automatable, why not find a way to automate the manual process of uploading things to instagram?

    • jwz says:

      You seem to be under the impression that the Instagram web site has the ability to upload pictures.

      You sweet summer child.

      • Gordo says:

        FYI, I have posted from desktop by opening Developer tools and mashing the mobile icon:

        https://imgur.com/a/AWtAdKF

        Now, do you want to automate that with Selenium? Not ideal, but a solvable problem.

        • jwz says:

          Holy crap, that's new! It used to be that even the mobile web site didn't allow uploads of any kind.

          • Big says:

            Where by “new”, you most likely mean ”a bug their regression testing hasn’t caught yet”, so you’ll work out how to automate this approximately 17 minutes before they push a fix with exciting and different bugs that hoses your automation...

          • jwz says:

            Ok, some progress! I was able to MITM a browser on the mobile site and I got uploading of images to timelines and stories working again! Somewhat surprisingly, this also made uploading videos to stories work again (it was the image thumbnail that was crapping out, apparently). But, uploading videos to timelines still isn't working. Because that uses a totally different API because of course it does.

      • Glaurung says:

        My bad, I forgot they only begrudgingly have a web site. But my point stands: instead of bashing your head against the nonexistent API, why not just launch a virtual phone running the official app and use automator scripts to simulate tapping the upload button in the official app (after sideloading your promo images and videos into the virtual phone). There’s definitely apps to add “click at x,y” functionality in automator, like http://www.automatormouseclick.com/

        Sorry to take so long replying. Life is too complex.

  5. John says:

    Could just use this and open the .apk of Instagram, Twitter etc and see the 's3kr1t' urls they post to and all their cookie/auth data.

    Run-down of what it does by this Medium post here

  6. NotARobot says:

    Could you use an actual robot tapping on a phone?

  7. NotATroll says:

    Have you tried Anbox? That's like Wine, but for Android apps.

    It runs all network connections over its own bridge and you get full access to the file system – I am guessing that makes MITM fairly easy.

  8. knife says:

    Facebook has launched a new feature for the whitehat program. Now you can sniff the traffic of the apps easily by enabling this setting: https://web.facebook.com/whitehat/researcher-settings/

Leave a Reply

Your email address will not be published. But if you provide a fake email address, I will likely assume that you are a troll, and not publish your comment.

You may use these HTML tags and attributes: <a href="" title=""> <b> <blockquote cite=""> <code> <em> <i> <s> <strike> <strong> <img src="" width="" height="" style=""> <iframe src="" class=""> <video src="" class="" controls="" loop="" muted="" autoplay="" playsinline=""> <div class=""> <blink> <tt> <u>, or *italics*.

  • Previously