Facebook Tries to pwn Your Web Browser (again)

12-08-2019

If you're like me, you don't (by habit) use a web browser that's "up to date" (as dictators like Google, Microsoft, Mozilla, and Safari have decided to label it). And so, you may have noticed a message with a yellow highlight when connecting to Facebook's index. It says something like: "We won't be supporting this browser, soon. Update your browser for a better experience."

Now-- this is complete bullshit. And, hackers (like myself) recognize this immediately. As a web developer of seven years (at the time of this writing), I understand right away that the message on this random yellow banner is inaccurate. It should really say something like: "We have arbitrarily decided that a browser's user agent string will disqualify it from connecting to our site. It will make absolutely no difference what the string is if we develop html and php properly. But-- it *may* mean our developers have to think before they write code. And, our developers are too lazy to develop software that conforms to html standards-- even though it's actually easier to develop html that way. In fact, thinking for a brief period before writing software ensures less changes will be necessary later. However, it's unpopular to admit that developing software properly is easier than developing software that is considered *cool* during this period of time. And, we have chosen to develop web software that is considered cool or hip during *the present time* instead of developing software that actually works."

And (of course), Facebook developers have made no mention of web development features that are common knowledge-- such as "user agent strings". But, us hackers realize that we can (obviously) continue using Facebook as long as our user agent string is set to a value that Facebook's apache daemon does not recognize as a value that should disqualify the hosting browser from receiving web pages. So if you're having this problem (which isn't really a problem), here's what you can do. :D

In the old days, a user could easily change a user agent string. Modern browsers (written by inexperienced software developers with a poor understanding of basic programming techniques) make changing this simple feature very difficult. The feature is hidden in a highly undocumented page a user is supposed to *just know* to type into their browser's address bar: about:config. Visiting "about:config" with your browser (at least most of them) displays a butt-load of features with values that most users know nothing about. You'll need this page to change a user agent string.

First, about:config will display some kind of warning message that has nothing to do with anything you're about to do (something like "You should not change settings in your own software because it may not work no more! :o"). But, you can ignore this nonsense with a yawn and click "I accept the risks-- leave me alone!" (or, whatever stupid thing the button says). Then, you gotta find where you can change the user agent string. All the about:config pages I've ever seen have a text field at the top of the page with an image of a magnifying glass (many developers have assumed there is a consensus that an image of a magnifying glass means "You can use this area to search for stuff.")

By typing "useragent" in the text field and clicking the magnifying glass (some about:config pages check the field periodically and only show features that contain the value stored in the text field-- requiring no clicking of said magnifying glass), the page will show only features that contain the string "useragent". One of those will contain a string, like: "Mozilla/5.0 (X11; Linux armv7l; rv:43.0) Gecko/20100101 Firefox/43.0 SeaMonkey/2.40". That's what *mine* says by default. This is because I'm using a Seamonkey browser that came with SlackwareArm-14.2-hfp.

And so (in order to instruct Facebook that your browser is allowed to receive Facebook's beloved html code that only elite users are allowed to download), you can simply change this value to one that Facebook's developers have arbitrarily decided is acceptable. I chose to use a Firefox user agent string for mine. That's because Facebook developers currently concede that Firefox is an acceptable browser to allow access to their precious resources. This (of course) can change at any time depending on some silly, capricious decision that pitiful developers of Facebook make for absolutely no good reason.

At the time of this writing, the convention for Firefox user agent strings was:

Mozilla/5.0 (<API> <processor architecture>; rv:<revision>) Gecko/20100101 Firefox/<revision>

All my user agent strings are currently set like this:

Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0

Although, any of the following are acceptable Firefox user agent strings:

Mozilla/5.0 (Android 4.4; Mobile; rv:69.0) Gecko/69.0 Firefox/69.0
Mozilla/5.0 (Android 4.4; Tablet; rv:69.0) Gecko/69.0 Firefox/69.0
Mozilla/5.0 (X11; Linux armv7l; rv:69.0) Gecko/20100101 Firefox/69.0
Mozilla/5.0 (X11; Linux i686; rv:69.0) Gecko/20100101 Firefox/69.0
Mozilla/5.0 (X11; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0
Mozilla/5.0 (Windows NT x.y; rv:69.0) Gecko/20100101 Firefox/69.0
Mozilla/5.0 (Windows NT x.y; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0

And (most likely), Firefox developers have already changed the version of their web browser like a hundred thousand times since I made this list. I've noticed they enjoy arbitrarily changing features at random and re-branding their web browser as many times as they possibly can in one day (for some strange reason??) But-- version 69.0 will probably be considered "acceptable" to Facebook's apache daemon for a good, long while. So, it should be safe to use that version number for a couple years. We'll see.

Now, the Seamonkey that came with *my* system had no user agent feature by default. Not sure why. I had to search for a while to learn how to change mine. You're supposed to *just know* to add a new string to your about:config page. You were born knowing that, right?? Derr!!!

If you face this problem (as I did), you can right click your about:config page and click "New > String". The name of the string you will want to add is "general.useragent.override". Then, you can right click this value and click "Modify". And, you can change the value to one of your choice. If you feel like you need to change this back for some reason, you can right click the string you added and click "Reset". This is supposed to delete the string from your about:config page. Although, I've found I have to completely close my browser and re-open it as soon as I click "Reset". Otherwise, the value remains and stays set.

And-- something *else* I noticed is that you can't mess this string up!! If you leave a character out or use a version number that is not a real Firefox version, Facebook will force you to change your password! And, it will not (under ANY circumstances) allow you to re-use that password for some strange reason!! What a piece of shit. This happens because Facebook's php doesn't translate user agent strings properly. And furthermore, it's not considering a version number as a value. It's simply checking that a version number matches a version number in a database. This is pretty risky since a mismatch hijacks a user's password. How unsavory! That is piss poor software development, there. Wow!

So-- use this hack carefully, my friends. And, let's hope Facebook *never, ever, ever* misses a new Firefox version. That would leave a lot of pissed off Facebook users having to change their passwords with no way to change them back!! :ooo

I'm gonna laugh my ass off for weeks if this happens! xD

Back

______________________________________________

Follow me on:

Facebook
Twitter

html revised 2020-07-08 by Michael Atkins.

The maintainer of insanelywittystupidity.com does not care if people duplicate this page or any part of it-- as long as this notice remains intact.