When an application sends an update to Twitter it can specify the ‘source’. The screenshot above shows an update where I used ‘foursquare’ as the source even though it wasn’t sent by Foursquare. No, I don’t think this is a security issue; it can be funny though.
Early this afternoon @BreakingNews posted “BULLETIN — OUSTED HONDURAN PRESIDENT ZELAYA RETURNS TO HONDURAS.” I found this humorous because when you become a mayor on Foursquare it announces to Twitter using the same style: It names a person, a location, a title, and uses the word ‘ousted’. Here’s an example of a mayor update. I constructed a fake update saying that I had ousted Zelaya as president of Honduras. Chris Nelson pointed out to me that I could specify the source as well, so I went for a slightly more involved joke.
Foursquare also announces to Twitter when you unlock a badge. Here’s is an example of me unlocking a badge. Clicking the bit.ly link takes you to a Foursquare page that describes the badge. I decided to make my own ‘Dictator’ badge. While New York has a number of Foursquare badges, Los Angeles has a limited number, so I wanted to surprise people with a new badge. I recreated the URL structure on my own domain (almost) and created a new badge image and text. I then updated Twitter using the same language as Foursquare and using ‘foursquare’ as the source. Here is the tweet and my fake badge (the design is from here).
Now to dream up useful ways to abuse this.
2 thoughts on “Foursquare badge spoofing”
I saw those updates this afternoon, and I thought, “Foursquare has a dictator badge? And Eliot is the dictator of LA?” I even specifically checked the source, since a lot of people post mock-foursquare updates, and on top of that, I didn’t notice that the “Dictator badge” page wasn’t hosted on foursquare.com. Consider me pwned.
@cnelson pointed out that fousquare.com was available and was wondering if my joke was worth $7.