I appreciate (and encourage) using real life problems as a pretext for researching new topics and developing new skills, but
1. I'm really curious as to what's the desired outcome here? A spambot to flood people's notifications?
2. I'll admit that I have absolutely no idea how Instagram's API layer (and protection) works but wouldn't capturing the HTTP calls a more appropriate and easier approach to take?
I know agencies get paid to manage other business's instagram accounts, and want ways to post/comment/engage/etc with multiple business's accounts at once. You'd still have a human driving/scheduling/approving the activity, but you wouldn't have to jump between so many hoops to do so.
Yeah, it could definitely be used badly and there is a thin line between account management and growth-bot spam.
But that is part of what makes it interesting to me. Instagram has real anti-abuse systems, rate limits, weird UI states, etc. It's just a good place to experiment, everyone knows about it and it's something I was interested in.
I was totally expecting to get the account banned quickly.
Although I just added a disclaimer to make it clear.
1. Social media accounts with lots of engagement and high follower counts are worth big money these days. However, it takes a ton of effort to build that up organically. It's not difficult to see possible motives for something like this.
2. Leveraging their private APIs will get you banned even quicker than OPs method.
I tried all sorts of automation in the past and always get banned at the end. Not worth it. Use AI or whatever to generate your social media content but always post it manually for best engagement and not getting banned
on business pages they literally give you access to the posting API.... And you can automate against that. Not that they will give you much action on that without the sweet sweet accelerant of ad money.
The mouse might be one signal but Instagram is almost certainly looking at way more than that and feed it to some ML-based abuse detection.
They likely have entire teams working on this, plus adversarial teams trying to break their own detection systems.
I'm blocking as much tracking as I reasonably can and they still caught it within a few days. So I doubt this failed because of one obvious browser API. It is probably a combination of behavioural signals that made the account look automated.
>A full screenshot is huge. Over 7 million pixels on a typical screen.
Hmmm i don't think that's true? 1080p is 2M, 2K is 4M, 4K is 8M. Are we really in an era where full 4K is "typical"? For reading Instagram? I've got 4 screens i use on a daily basis that are all 2K or less. I mean my TV was only 1080p until a few months ago lol. Maybe I'm just slow.
Also: you're automating the browser, just make the window smaller then!
This is also why creating a regular account is so difficult on all the social networks. You sign up and it is instantly banned and you have to go through a whole review and approval process just to use it. Incredibly user and company hostile.
A new account doing anything unusual looks suspicious immediately. A 10yo account with normal history and real usage would probably be much less likely to get banned for the same behaviour.
Statuses cannot be disabled, so the little notification dot is always there (I solved that by archiving everyone's statuses) and the phone call feature cannot start a recording when you get called. If you need to record a call you need to do so separately.
If for some reason you want to stop using WhatsApp, you just cannot. You socially exclude yourself.
Most people you know are there so you cannot just leave it. Some companies run their business there. Some government services and banks have a WhatsApp chat bot, and don't accept email or phone calls anymore.
I wish I could fully leave WhatsApp, but I can't without paying a social price. The network effects are a straitjacket.
1. I'm really curious as to what's the desired outcome here? A spambot to flood people's notifications?
2. I'll admit that I have absolutely no idea how Instagram's API layer (and protection) works but wouldn't capturing the HTTP calls a more appropriate and easier approach to take?
I know agencies get paid to manage other business's instagram accounts, and want ways to post/comment/engage/etc with multiple business's accounts at once. You'd still have a human driving/scheduling/approving the activity, but you wouldn't have to jump between so many hoops to do so.
But that is part of what makes it interesting to me. Instagram has real anti-abuse systems, rate limits, weird UI states, etc. It's just a good place to experiment, everyone knows about it and it's something I was interested in.
I was totally expecting to get the account banned quickly.
Although I just added a disclaimer to make it clear.
2. Leveraging their private APIs will get you banned even quicker than OPs method.
Anything not from their vanilla app, the littlest dot on their charts will trigger severe alarms and actions.
Big correlation systems. The safest path used to be to automate the app itself, through mobile automation, but they even got too sensitive to that.
I don't doubt the whole app has a behavioural analysis component, full screen size, much like a big "I am not a robot" checkbox.
Also, it's very likely their private APIs are CSRF-protected or similar.
most of "engagement" on every big platform has always been bot activity, which strongly suggests that all their measures can be countered.
I realized months ago that social networks are distribution systems. Want acceleration? Pay.
There is little incentive to make anything viral/organically boosted.
I haven’t had to go the CV route yet, but I know it’s a matter of time once they “improve” the site and it starts breaking regularly.
They likely have entire teams working on this, plus adversarial teams trying to break their own detection systems.
I'm blocking as much tracking as I reasonably can and they still caught it within a few days. So I doubt this failed because of one obvious browser API. It is probably a combination of behavioural signals that made the account look automated.
Hmmm i don't think that's true? 1080p is 2M, 2K is 4M, 4K is 8M. Are we really in an era where full 4K is "typical"? For reading Instagram? I've got 4 screens i use on a daily basis that are all 2K or less. I mean my TV was only 1080p until a few months ago lol. Maybe I'm just slow.
Also: you're automating the browser, just make the window smaller then!
I’ve edited it to focus more on the actual problem: the bot starts with a large visual search space and has to narrow it down to a small target.
Thanks for the feedback.
i have no interest in juicing engagement, purely from a "20 years from now it'll be cool to know this existed at all" aspect.
A new account doing anything unusual looks suspicious immediately. A 10yo account with normal history and real usage would probably be much less likely to get banned for the same behaviour.
e.g. contradictory feeds.
1. motivational post followed immediately be demotivational post iteratively. this will allow people not be stuck in one basin of attraction.
2. wealth flaunting posts followed by poverty posts to elicit a strong contrast and inequality.
3. science posts followed by pseudo-science posts
4. feeds that are generated like DJ sets. instead of playing with music, the feed would play with emotions.
Other such combinations.
It is just an amateur blog post about a small automation experiment. I am not selling anything or promoting a tool.
Statuses cannot be disabled, so the little notification dot is always there (I solved that by archiving everyone's statuses) and the phone call feature cannot start a recording when you get called. If you need to record a call you need to do so separately.
If for some reason you want to stop using WhatsApp, you just cannot. You socially exclude yourself.
Most people you know are there so you cannot just leave it. Some companies run their business there. Some government services and banks have a WhatsApp chat bot, and don't accept email or phone calls anymore.
I wish I could fully leave WhatsApp, but I can't without paying a social price. The network effects are a straitjacket.