Hacking With REST For Love

but the intro to HTTP we all know it right because we're all on the internet all the time everybody that's on their phone right now is using HTTP so and what does it stand for HTML to technology protocol and where is this yeah the cat thing YouTube's everywhere you know so okay the actual HTTP hypertext Transfer Protocol and according to Wikipedia the you know definitive source of all knowledge it stands for risking the hypertext is structured text that uses logical Lange say ka hyperlinks between nodes containing text HTTP is the protocol to exchange or transfer hypertext that's really drawn out to say we send stuff back and forth like we use links to send [ __ ] okay so hmm yeah so as far as like

the piece of HTTP that really ties in to rest HTTP communicates using verbs aka methods Suchi as well we're gonna touch on them in a second but I different methods to you know conduct business so to speak across the internet if we're receiving a webpage or sending data or whatnot so let's take a look at those so some of the methods we have I get post put patch delete and lots more because there's you know extensions and extensions to the protocol year after year so let's dive into them a little bit so I get request that requests were retrieves a record so as we go through these methods I've put some sequel equivalents in here which

seems totally irrelevant to http but he does tie in later on so bear with me so an a get request is kind of like a select statement in sequel if you will like we're getting data so a post request creates a record the orange see Gordon it might be an insert the record must not already exist and I'll say this a couple of times as we go through but this is all according to the proper standard and whatnot hmm what's actually done is up to the developer anybody that's writing a web server can write whatever they want they can you know if they want to retrieve web pages using posts constantly and post between every single

page they probably shouldn't be a web developer but you know think they can do it's my early web development days or rest days I should say using a flask I you know I saw you can specify different actions based on what type of request you have if it's a get request do this if it supposed to do this etcetera there's you know you can do whatever you want so that's the beauty of development in theory so okay um a put request updates a record mm-hmm if it doesn't exist it creates a new record so it's like an insert or an update in sequel a patch partial modification of existing record sequel updated again the you know

the sequel comparison is not foolproof here but mm-hmm so delete I think we can guess what that does right deletes records okay so some examples here so if we're say loading ready calm which right it's gonna be our example today because that's the main site I'm constantly on all the time so I get requests is if you're loading up a web page so now I'm logging into my account that's a post request I'm sending my account data to the server um if I'm changing my password that's a put I'm updating that complete record for the password because if we change a password it's changing the entire piece not just like one character if you're you know storing passwords

properly say I'm modifying my email address now I am changing like from calm to dotnet and the rest of the data can stay there that could in theory be a patch delete account can anybody guess don't you okay all right so mm-hmm now that we've gone through HTTP let's talk about rest so it stands for representational state transfer and this according to Wikipedia communication between client and server using Uniform Resource identifier zyou our eyes and HTTP methods to identify objects and perform actions or functions okay so and the HTTP headers can contain authorization information so essentially what this means is we're using those HTTP calls to function as an API over the Internet so rather than saying

rather than using some advanced API we can say like my example with flask before mmm if a get request goes to this URL perform this action if it's a post request do this if it's this URL do that and based on the path of the URL it really is can be object-oriented we can say like the user path like ready com slash user slash whomever and we're going to get to that in a second that's an object and then perform various methods on that object once you start you know going in a path passed that name itself so an example here say I want to view my account get ready comms /eu that's the user

specifier there so I have a green VHM now if I want to view my comments so that would be another get requesting to my user account and then slash comments so like I said that's uh hmm that's working at say a comments property of my user object now if I want to view my messages you know I can't nobody obviously not everybody can just log in and view my private messages hopefully you need some kind of authentication and you can either send that data in the post or you can send it in an authorization header so that might be get ready calm slash the message slash inbox and now we're going to the message path rather

than the user path and so that's a different type of object or a different a different database that I might be looking at or what have you okay so if I want to view my sent messages again requires authorization I another get request to the message object say and then the center path send a message and we'll keep you know a couple more of these so post so you see retrieving data get request sending data post requests and we'll go into a little more program specific stuff right now so here's my username that's a user object now the get request for that might be the equivalent of I eat green B hmm that is the instance of my user object get

profile so we're calling a method based on the path of the URL now if I want to view my comments we showed the comment path that's a comments object now it's a property of my user object so the get request for that might be the equivalent of a green bhm comments get comments and the post requests might be meet comments and then past the comment text and whatever other metadata as a parameter to that hall so is everybody see sort of how this equates like path and and HTTP method equals you know normal API call and once you sort of figure this out it makes programming for a mobile app or what have you a lot easier because now

you can really see ok I'm designing again flask say I want to perform this function so design whatever method within the get for this path and now my app just calls this URL with a get request and my function happens so again continuing through this the inbox might be a list of message objects and a get request might be my user object get messages and message / compose might be there we go a send message so we're creating a new message object via the send message method of the eggwin Beecham object instance okay so json i it's the preferred data format for rest i've seen all kinds of different data formats used but it's the most readable

in my opinion and it's also very lightweight so it stands for JavaScript object notation and all it really is is key value pairs and this is the same thing as a Python dictionary so they're signified by curly brackets or braces and the as far as the values go they can be text lists or key value pairs so we can contain other types of data within this but it's all text-based so here's an example so my username and you see that curly brace starting the key is username and the value is a queen b hm twitter is the key at dignity hm you got the idea now here we got comments and you see the square bracket

next to it that signifies a list and or maybe an array depending on what your language of choice is so now we've got a list of different comment objects and within that and then you see the first curly brace then the ID and then the text so we haven't that's a a comment object and then the comma signifies the next object in a list then we have another comment object and we can have as many of those as there might be so hmm yeah so all this gets passed in the body of the request itself and everything is good we can also pass data say just in the URL itself you know a lot of times with PHP you see that you

know question mark key equals what-have-you ampersand and you know you have a ridiculously long URL with all kinds of parameters so where you can do a combination of those two maybe the odd I mean maybe the authentication goes in the URL and then the rest of the request is in the data again it's up to you developing the app and the server that corresponds with it so what are some benefits of rest the readable design it's easy to determine the function based on the URL like we said based on the path it's really easy to determine what's happening here the first piece of that user account path my username okay we're looking at the user object then

slash comments okay we're looking at the comments of that user object it's a lightweight we were just talking about how the you know it's really focused on JSON and text preferably and yeah it really passes as what it was possible over the web so because there's so many mobile apps are using rest to communicate that's really important when you have eliminate data it's also stateless meaning you don't need to keep a constant connection with the server every request has authorization data so that way the server doesn't need to keep track of who's connected and logged in and all that if you speak to the server with a valid authorization header whatever method of authenticating that's

it okay some some caveats of rest there's no 100% uniform way to design a restful api there are some best practices but it's really again up to whoever is designing the system I've seen all kinds of craziness out there so they don't always conform to the HTTP method design and post input are a lot of times I mean maybe they're not supposed to be but people do do whatever they feel like and an example I'm guilty as well rather than putting authen authentication data in an authorization header I made I made requests I made some get requests post requests that way I could send my office on occasion data to the server and then the return or smoother response to that

request was whatever normally would come from a get response you know for my very limited app it didn't make a difference but you know it's gonna be different no matter what you look at like I said that's probably not best practice but it was my first rest app so you'll have to give me a pass on that one okay so talk about rest hacking so it's a it's a great attack vector because you talk about mobile apps web apps what-have-you it's an undocumented a lot of the times internet facing API you know people have all these apps that are being designed by people that don't know anything about programming don't know security most importantly and they're

putting a lot of times sensitive information publicly exposed and hoping that nobody takes a look at it and the story that we're gonna be getting into is exactly that so the fact that it's undocumented helps sometimes because you know security by obscurity how we didn't document this so nobody's gonna hack us because they don't know how to use our crazy API that you know is really not that crazy so oftentimes it's misconfigured where it's missing a security the thing we're gonna be looking at is both of those and because of the readable design by Nature REST API is are easy to determine what's govern Lonnie if they're undocumented but you look at the traffic which

anybody with a you know Wireshark or some of the other tools we're gonna talk about can do this it's pretty easy to figure out what's going on and if you're working with a system that doesn't have security you were is misconfigured now that you know how this system works you can exploit it so yeah just said that there's lots of tools to assist such as man-in-the-middle proxy that was the one I started with but there's some better tools than that for what I'm looking to accomplish such as sort of see meso men the middle proxy intercepts what traffic and you can do SSL as well now there's nothing crazy black magic II about men the middle proxy you have a self-signed

certificates your man in the middling traffic you're gonna throw SSL errors unless you trust the self signed certificate already either we're not finding a way around this as though some of the better suited tools for this type of thing burp suite and zap as well both trap all kinds of stuff you can do with those but a traffic analysis tools and web spiders built-in and lots of different functionality they're both included in Kali by default actually all three of those are included in Kali the last two there you can intercept traffic and modify it man-in-the-middle proxy can do that as well but I feel like man the mental proxy is meant more to do that in an automated sense whereas I

like using burp for manually doing this stuff just analyzing each packet as it comes through and the same for that the advanced rest client is just a Chrome extension that I use that's I found it helpful you just you know I don't need the whole burp suite or anything like that if I just want to send some requests to a restful api I just hold this thing up type a few things in and there you go also it I des have them my favorite one is pycharm it has a rest client built into it which was really helpful when you're developing software that's using rest you can test it right there okay so story time right so this is called you

know hacking with rest for a load right so what is the love peace we're gonna get into that so well set the scene so I was using a mobile app I used to me a mobile dating app called J swipe and similar to tinder it's focused for Jewish folks and hmm so for those of you guys that don't know tinder it's a location-based dating app where people in your general vicinity will show up and you either say you like them or you don't and then you move on and you set search radiuses and stuff like that and based on geolocation you know you find people and move on and we'll get into that so I'm getting more

and more frustrated not for you because my dating life was awful but the main reason the app sucks it's a total POS in particular so frequently entire message threads were reloading like oh it really slowly so I opened up the app oh I have a message oh look here's every message coming through again what's up messages randomly not coming through like I prefer all of them to come through rather than none of them to come through so that was annoying too but also again it's supposed to be like close yeah apparently Ohio is closer to Raleigh than I thought so and it wasn't like one random person it was like lots lots of them all of a sudden I was in the

Midwest so anyway okay so I'm getting frustrated you know I'm flipping the table and what's wrong with the app like what's what's happening here like I think there's it was like a Saturday morning I'm simply having some coffee trying to you know enjoy my weekend the little time I get off and just trying to talk to somebody and it's not happening like I finally got something to talk to me like why can't I actually talk to them so dating life's not going anywhere getting frustrated blah blah blah so I turned to IT insecurity let's see what we can do with this let's figure out why this app sucks like what's going on here and okay we're going to talk about what

I just covered so here are the tools that I used I used my Android phone or they have I am plenty of emulators as well I particularly like genymotion which is free for my personal use somebody who correct me if I'm wrong but I think the Android SDK recently came out with like a new emulator that's a lot faster than the old one was but a year or so ago when I was doing this the efficient one was pretty slow where his genymotion was pretty darn fast I used man-in-the-middle proxy again a burp or zap or any tool like that would do the job just as well we just want to intercept traffic maybe modify it or it

was just to see what's going on and the reason we couldn't use Wireshark it weighs not to my knowledge is because the traffic is encrypted I know there's ways to view encrypted SSL traffic in Wireshark but these other tools were more straightforward for doing what I wanted which was just intercepting traffic from an app on my phone and rather than from say like Chrome which I think has there's some way to do it with parole or other browsers but not that I know for an app so the only saving grace this app had was it was using SSL like they don't get points for that but it's better than nothing not by much so I

used jet jet brains pycharm that's the Python IDE it's my favorite one by far I mentioned before that there's a rest arrest client built into it I use that as well it's really helpful I have my code up top my rest client right below I can test stuff out and then I can implement it into code it's really nice there's so many other options out there though for rest clients you pick whatever you like I use Python for writing this exploit like I just said so we need to figure out like what's going on on the network what traffic is being generated what network activity so I here's what I did I set up man in the

proxy on my computer which was a lot harder you to do on a Mac than I expected I've always used it on Kali but I didn't have a Kali ISO with me and I didn't want to wait the four minutes to download one so this turned into a whole word deal but anyway so I recommend Kali if you're going to do this so like I said before man the metal proxy generates a self-signed certificates that it uses to Rhian crypt traffic that it intercepts and decrypt so in order to make the apps that you're using on your phone function properly when you're using a self-signed certificate you need to tell what your phone to trust that

self signed certificate again that was also more difficult than I would have thought trying to find a way to like get an SSL certificate onto my phone like if I just downloaded it and copied it to the SD card that's one thing but actually getting an ssl certificate from a site on my phone without downloading some special app or something was surprisingly difficult I mean not hard but you know not as easy it is as it is on a regular you know desktop OS so some apps will throw SSL errors if you know you're not using a valid SSL certificate plenty of them don't this I don't know if this one did or not I wasn't gonna

give it the chance I really didn't want to be any more disgusted than it was when I figured the rest of this stuff out but anyway um so best best idea to have a trusted SSL certificate also some apps now more and more doing certificate pinning which means that they're trusting only one particular certificate it's either baked into the app like trust this certificate in this certificate only or the first certificate that it sees that's the one that I trust moving forward there was nothing of the sort with this app I don't have to worry about that but that's something you could run into if you're looking at apps or and any really any program this these days I know the

desktop Dropbox client does pinning all I had to do was then use man-in-the-middle proxy trustee SSL certificate and then just use the app and exploring network traffic as it comes through so let's just do what I want to see and then we'll analyze the results and see what's happening so what did I find so the first thing I figured out was there's a third-party back-end aka back-end as a service by being used for hosting data they're not running their own servers and databases and all this stuff they're just using a third party hosted solution and this is parse comm now what that parse a little bit and it provides ya the stuff I just said

as well as SDKs for all kinds of mobile web development or mobile app development they got bought out by Facebook a couple years ago and if you're looking to develop an app don't use them because they're being shut down this year yeah I actually used them for something after learning about them through this whole process I wrote an app that I was like okay well let's try this out and then I get an email six months later like hey we're shutting our service down like here's although we're gonna open source all of our stuff so you can host your own servers I'm like that's that's great the free app is now requiring that I buy a server or

something where maybe just you know siphon some server space off of the office or whatever so they have a REST API used for data communication that's the preferred method of using parse okay so I get requests on this app to get users so we're doing get parse calm and then I don't know what the one is but that was in all the queries and then class is it's you know we're looking at object-oriented stuff a class and then user that is the default user object not for this app but for all parse stuff I found that out when I get that open to my own app on their platform depending on what you're doing here you can that

user piece might be something custom if you're making other types of classes that's specific to parse sure there's different ways for different services so if we want to get a user or a list of users and I think that this query is for multiple users you would do you miss Jim you would request that URL now you can add optional query parameters now go back to the first few slides when I was acquitting HTTP methods to sequel statements now you know maybe make a little more sense so as part of this URL you can add various sequel statements or sequel parameters to the request so limit equals a thousand that's the same as like Olympian 1000 in a sequel

statement and I talked about undocumented API is the beautiful thing about this was this was all documented like because parse is public all this stuff I could just look at you know their knowledge base or the wiki whatever it was and learn of all this stuff that I didn't see in traffic requests so basically using morten using my knowledge about the service i was able to exploit the lack of security that they put in place it was to me that the app developers put in place so order equals created at again order by in sequel so created at being the account creation date for the users now if the limit 1000 I'm selecting 1,000 users

from the database I'm not selecting a single user as I normally would when I use the app normally and I told it next person it did this request with a user name or object ID or something like that where maybe you just said only met one well I found out oh you can just change that limit higher and higher and higher and get as many people as I want this is some more mmm select limiting if you will so we're equals created at is greater than 2013 I just chose that the app started in like 2014 or something so I figured this is a good starting date if I start here I'll get everybody I'll get that 1000 users I'll get the

first 1000 use that were created after 2013 and it's going to order it by D date that they were created so this part was really good user details this was something that I read about in the API this one this includes all kinds of information about the user such as there's their preferences their search radius etc like not just their user name and their you know whatever other public information it is this is like show me your bank account information yeah so let's go through that so analyzing captured traffic I said there's two main end points and I might have mixed these up from what it actually was but the gist of it was a message end point any user

endpoint it's fairly clear to see what those were so there was an OAuth token used for authentication didn't really matter too much except that I had to use that same token when I was testing this out using my rest client now the pycharm rest client has a nice little place that you can put headers right there so all I did was copy and paste and there we go now I'm authenticated we're not checking like you know user agent or anything crazy like that I mean you could but they didn't so all I had to do was authenticate in there I am now so why was the message function so flaky why were they reloading like every time they

were passing the entire thread every time I wasn't like I wasn't like spazzing out like this was actually happening everything was going each time and it was getting you know larger and larger every every message that was being sent it wasn't incremental updates so anyway why was the app's justing that's people across the country were in my search radius I don't know because I abandon that quickly because who cares after I found the next thing so here's an example of the get response have some information here this is all JSON and you can see the first thing is like profile picture and it's you know some random name of the picture and then a half a URL excuse me for the

user picture and then other types of profile information I said it was did you know the Jewish dating app so profile was kosher there you go bah bah blah okay so birthday user search distance now go back to the part where I was talking about the different query parameters not only can you not only can you limit your results but where that you remember that greater than 2013 I can choose any of these profile items anything here can be used as a search parameter so where what are we got here where birth date equals say I want everybody that's born of my birthday well I should add that in there wherever I want everybody that's you know X age

and here's another thing another or there was a lot of data that you include user details that dumped like three pages worth of stuff that I had to break up into pictures so we would fit in a readable form for y'all so anyway let's say say I want to search for all the 25 year old females in the entire world which at the time there were 250,000 users on this app so all I have to do is where gender even was female and where age equals 25 and there you go now I have every Jewish woman on this app in the entire world nice so so there was a tiny additional design for so um you know you authenticate with

facebook login with Facebook just like every good app these days so as part of that information the Facebook ID was there like your true identity and considering this is like a semi anonymous like first name only app you know seeing some of these true identity is not good but not the worst thing in the world but not great so here's a screenshot of that here's their Facebook ID I could also query for that and you'll see that in just a sec so another little piece of this puzzle the real shocker here was what is this yeah so and by the way it's location-based app so it would updates every few minutes yeah and also the other talked about the

search preferences so what did I say before about like using information as the query parameters that I just saw now I can query for all these types of stuff and what I can look for specific people or I can say I can find somebody on Facebook and now I can get their Facebook ID and say query for that and I think I talked about that a few slides over so I'm gonna hold my tongue for a second there was one I remember where I said I only made 1,000 likes oh I got a thousand users that's a lot but there's no rate limiting so so no sleep statements no pause no no they just loop

over and over and over and over and over what

so using this we had a little proof of concept Hicks so using the information an attacker could develop a program to query the database for the person matching a certain criteria like I said 25 year old female say and take the find their Facebook ID and then I can look them up on Facebook and then I can track their GPS coordinates that get updated every few minutes I have a tracking app for people that fit whatever criteria I look for and you're supposed to like initiate conversations with people in order to talk to or sorry you're supposed to match with them in order to be able to initiate conversation I forget that like I can talk to people

and I don't think there's a whole lot of Jews in Japan but I suppose I could talk to somebody over there if I just send the right query to you know to the app via that URL so so that's basically what I did to the CEO so yeah I was like wow this is pretty bad but I need to have some fun with this first so so I found his Facebook ID he's not I mean he's not super famous but he was like you know making himself real public publicizing this app and everything like that so all I did was I found use his name I found his Facebook profile and then there's websites out there that'll let you just

take the like Facebook username and punch it in and out gives you a Facebook profile ID which is just I think now it's like an eight digit number or something like that so yeah and then all I need to do is that whole get user where Facebook ID equals his Facebook ID and now I know his GPS coordinates so I tracked him across the country for the weekend like he was going in the Midwest for something maybe he was in Ohio maybe that's why he kept showing up I don't know but uh anyway I saved the data and you know I wanted to be able to say hey look I tracked you lots of people can do

that this wasn't hard to do you probably need to fix this anyway and then oh by the way I also dumped 290 thousand users before I said okay I think my concept is proved so anyway no rate-limiting no nothing so here's a dump so here's a code snippet of the DB dump code and it's real easy except I can't see it so we have the URL we get the creative that parameter and we're adding our authorization headers and hmm the request success piece that was just something I added to that was my own error checking to make sure my requests were going through I created a database the sequel like database tell a could properly store all my stolen information

and then I query you to four users created after 2013 June 23rd include the user details and there it is I'm limit 1000 order by the creation date that's all online 10 that URL right there so and then the rest of whites doing is it's going to this URL it's getting a thousand users basically the first user to the 1000th user returning them to me and then taking the date that that 1000th user was created at and using that as the parameter for the next ones now I get the next 1,000 and like I said I got about 90,000 people before I decided to cut it off and realized I don't really need the rest of them

anyway so yeah but what is this like I don't know 30 not even yeah 30 some odd lines of code that was all that was needed and I'm sure there's lots of extra junk here that was unnecessary okay so here's a quick screenshot of man-in-the-middle proxy if you haven't used it before so what you see here this is not the app that I was working with this is a different mobile dating app that has the same problem before I gave a similar talk at one point I was like okay well they patched a hole on the app that I'm working with but I wonder if anybody else does it so I spent an hour downloading every dating

app I could on my Android emulator and scanning the traffic and then oh all of a sudden oh yeah this this worked no problem so yeah another app waking GPS coordinates awesome so you're say actually you know what let me go back for a second so yeah as we see here this is the JSON data here are the different headers and at the top where it says response this is the response that the server gave me if you tab over to I can't really see it from here I think it says request somewhere there yeah there it is hmm you can tab over and see what requests I send so now I can see say

what did the app send and this is what I returned and now I can you know make my own assumptions based on the user friendly the user friendly displayed URLs and design of rest I can now do whatever I want because I see how it works I am authorized I mean if I would like to hide myself by not using my actual user account that would add another extra step of complexity but not a big one so oh and yeah I was thinking like halfway through it my whole testing like oh I wonder if they're gonna see this because I'm not really trying to hide myself and then at a certain point I was like I wonder if they're gonna see

me like well I'm just not even try alike let's so let's test out just how poor this is okay so here's a here's a screenshot of a restaurant this is the one that's built into pie charm and I really like you this was really useful for when I was coding because I would just make the request see if it worked and then I'm like okay you did let's incorporate that into the code now the end result after repeated attempts to get in contact with the company like I sent them emails I filled out the contact form they I I sent something to their security people which I'm kidding they didn't have any of that stuff yeah

so anyway eventually I finally threatened threaten us I shouldn't use that word but that's what it was to I was like I'm gonna disclose this without giving you guys a chance to fix it if you don't write back to me because it's been like a week this I'm able to track 250,000 people around the world who else has been doing this for god knows how long so that finally got their attention and they fixed it and so vulnerability was fixed but I'm still single so anyway so the conclusion on this is apps often have poor server and/or client-side security we're talking right now about server-side security I didn't even dive into the app itself because we

needed to the server piece was so easy but the bar has been set so low to design apps that anybody can do it and everybody is doing it and these people don't know anything about security they're not security experts they're not you know professional programmers they're like you know there's a lot of teenagers doing this in their mom's basement and they get a really popular app but you don't know what information is being leaked out from then and a lot of the times it's not like somebody's doing something maliciously this is just happening because they don't know what they're doing I spoke to the head engineer at this app who was this one guy who I hooked on his life didn't

stuff his background was like a web developer he does JavaScript stuff like primarily he makes really pretty stuff he doesn't know about security apparently so I and you know I didn't want to out him so that's why I waited until they fixed all this stuff before disclosing any of it but like you know they made an app I think the company contracted this guy to make this app he made it he got popular and great but they're not thinking like afterwards about security worth we're adding features patch on security later if ever so rest in and of itself isn't easy to use API design which can easily be exploited if it's not properly secured and not because of any specific

technical means but because exploiting exploiting apps that you don't know about or things like that or is a lot easier when you can read exactly what it does when it takes the guessing out of it you don't need to say what the hell is this random string like Oh get messages I for what that means be careful about what happens to use that use GPS ok so last slide is contact info but I'm also going to open up the quick for questions so you can reach me on Twitter at HM and here's my github

right translate ancient you'll find all sorts of stuff in these things that I do also want to add because you know oh it's hard to implement security a parse has access control was available as part of the API that you can very easily add in fact that's exactly what the company did they added a CLS to this rather quickly so it wasn't some huge complex thing so if they weren't doing that you know who else is missing out on that and as you as you could see the only information I needed was what was passed back to me a couple of times and that was my search those were my search parameters since you know the I

mentioned the user URL that's standard across all parse accounts while the rest of it is you know custom classes that the app developer chooses well they're not very well hidden because they get passed back to you especially when you say include all user details now you got everything so any other questions yes I

honestly can't say I haven't used burpin in automated capacity I usually just manually examine traffic hey I have something to add to that that just came up the other day friend of mine who lives in the Charlotte area apparently just outside Charlotte I don't know the area two O's Huntersville is that sound right apparently he lives there but he's technically Charlotte's but his address is Huntersville he wanted at Google Fiber shirt really badly so apparently it was rejecting it though because he didn't have a Charlotte address so he explored the JavaScript on that forum page and apparently he found if you just changed that you know who say one word zero or something like that you know

spoof yes Charlotte's and he got his free shirt so

it's there it's amazing what you can find if you just walk people count or the developers count on you not looking it's not any kind of black magic it's just using you know like the developer tools and chrome that's that's the steepest piece of rest yes sir yeah

right I I personally do not know any off the top of my head except I'd you know if it was doing sir pinning based on the first search that it got if you wiped the app data or not app data but you know I guess app data on in this case that would probably work um does anybody have an answer for that how do you like say you can't or say it's built into the app does anybody know of a way to get around that is that using like smiling or something like that

any other questions all right thanks a lot guys