Hungry Hungry Hacking: How to use XMPP with Path to chat with every brunch spot in the US
If only you could talk to a brunch place without waiting on hold.
For those days when you wake up hungry, we need an app to tell the wait time at NOPA. Even better, track wait times at all major brunch spots in San Francisco. Of course TalkTo and Yelp both offer a way to communicate with a business.
TalkTo had 1-8 minute response times.
This was far better than the 24-48 hour response times on Yelp. I found out chatting with friends that my friend Saikat had used TalkTo in the past, and I asked Saikat for the password to his an account. Saikat was previously on the front page of Hacker News for hacking Yelp to expose racism in the past.
Now it was a competition.
I had let the cat out of the bag to get his account. Saikat started parsing data from the output of the JSON API, a different direction. He discovered the URL used to load conversations, and immediately tried to scrape TalkTo’s website to collect the responses from businesses. Unfortunately, I had dinner Sonoma giving Saikat a 4 hour head start. I came back and Saikat had already setup Selenium and Mechanize to scrape data very slowly. (Saikat: 1, Colin: 0)
Some of the best ideas area dismissed.
I wanted to know how the product worked, I wanted to integrate and communicate directly with the business. Saikat thought I was wasting my time, only pushing me to work harder. He was first to finish and that was all that was important. Saikat had dismissed my “path”, and that’s emboldening.
First, check the DNS/SRV records.
A quick way to determine the server and port is using the dig command. SRV is used by Jabber to help clients automatically identify a Jabber server. You can see talkto.com uses im.talkto.com on port 5222, the default port.
Second, send telnet commands to the Jabber server
using XML. You can even authenticate, but this is the hard way to do this. Once you have the SRV record, you can try to connect with any Jabber client.
Test with IM Observatory, a security testing tool Path’s Jabber server earned a grade of F.
Enable your Developer menu
It’s located in Safari’s Advanced preferences. Right click the page, and Inspect element.
Find the Jabber ID for NOPA. For example, try searching for “jid”:
Jabber ID’s have a full email format, turns out they use @place.talkto.com
Find your own Jabber ID by searching for your actual name, or just “name”:
Since the user is not a place, @talkto.com is the correct full Jabber domain:
Find the password
I know strophe authenticates with our JID, but I need a password to login. Searching for the password, always start with the default passwd. You’ll find the XMPP.init and XMPP.connect and the passwd variable. Look at that, the password is the session ID stored in the cookie.
Open the cookie jar… mmm cookies
and copy the session id.
Find the BOSH server. A quick search and you have the server URL and port and a bosh_proxy:
Add an account to Adium or your favorite XMPP client. A command line XMPP would be ideal for scripting.
Enter the server, BOSH server, and Port.
Also, you’ll need to allow plaintext authentication over an unencrypted connection, because talkto really doesn’t want to make you jump through hoops like SSL/TLS.
Add a new contact for NOPA with the Jabber ID firstname.lastname@example.org and start chatting!
If you have the Talkto chat window open at the same time you will only see the received messages:
Once you close the window and reopen the conversation you’ll see the transcript appear in full:
I can message businesses directly from a chat client rather than using the TalkTo client or mobile app. I can parse this data and create our own app using their servers and database of businesses. I can do this all with scripting to automate the connection, chat with NOPA and display the response in a mobile app or webpage. (Saikat: 1, Colin: 1)
Talktoagent.talkto.com is what I believe is their Call Center Agent app where their agents and the businesses login and respond to messages. I could potentially access the API for their call center. The best way to do this would be to simply setup a business account with TalkTo, or ask TalkTo to talk to one of my friends acting as a business.
When hackers get hungry, Path gets press.
My posts are my own and not the views of my employer.