• Chris

Foursquare - The Hidden OSINT Gem

Foursquare was originally built in 2009 as a check-in technology. It is often overlooked as an OSINT source because it is all about business locations, reviews and identifying what is around you at a given time (when using the app). However this platform has 60 million registered users, and 50 million active users every month as of 2019. That's significant and the platform is alive and well.


So what can we gain from exploring the platform data? - a lot!


Foursquare Search Tool:

The first thing we'll point out is their organic search tool:

If you search without logging in you will only return results of Places & Pages. Searching for "John Doe" returns the following:




If we want people profiles we will need to create an account. Luckily there is very little verification required to sign-up so go ahead and create a user account using whichever means you see appropriate. This will open a lot more search options and let us explore the API where the real value is further in this article. Conduct the search "John Doe" again once logged in and you will return these results:




We now have "People" profiles to explore.


The default search takes you to profiles near your "Current Location" or a location you specify. We can modify the URL to remove this and just return results based on the name only:

Simple change "John" to your persons name, and you will see the other parameters as blank now.



Geo Search:

The built in search tool allows you to search for a query + named location. However, if you modify the URL you can search for Latitude and Longitude for more accurate results. Below is an example:

Modify the lat & long and you can narrow down the results. We are unsure of the radius this uses, so test and adjust based on your own requirements.



Exploring Profiles

The first thing we can use to start building an understanding of the individual is Tips, Followers, Following and Lists.


Profile Markers:

The Tips section can give us insight into where the person has been, the vernacular they use and habitual markers by analysing their comments on particular places. These are all useful data points when conducting the analysis phase.




Also note that if the user has a social media account associated on another platform (i.e. Facebook) then the platforms icon will appear next to the profile image.


Photos:

There isn't a link on the normal page but you can access a users photos through the following URL:

The USER ID will be auto populated in the URL when you click into the profile once found through search.


Network Analysis:

The Followers & Following section is somewhat useful to identifying associates, but you will need to put in the work to identify common friends by scraping the lists, loading them into a spreadsheet and graphing them out. How? - follow the process below:

  1. Scrape the followers of a user

  2. Place in a spreadsheet. Column A = USER PROFILE, Column B = FOLLOWER PROFILE

  3. For each follower profile, repeat steps 1 & 2 but always loading the data into the same spreadsheet.

You will have something like this (and auto-graph it with https://databasic.io/en/connectthedots):





API & Advanced Search

The default interface does not allow you to explore a users photos. For this we need to explore using the API. Don't worry, there is a GUI to achieve this with only minor technical knowledge required.


Access the API explorer for user search here (you need to be logged in):

We pre-populated "John Doe" search based on name in the URL, but you can search using the following parameters:




E.g. to search for someone based on a Facebook ID we could do the following:

This returns the JSON data as below:


This is obviously very useful when doing person correlation across multiple platforms. Often Foursquare accounts have been setup and registered using a FB ID (as you can login/register with FB) and when doing the search against this vector it may reveal other information such as locations and other social media platforms like Twitter.


Photos

The organic search tool and profile view page allows you to see photos but what if we want the rich metadata, including GPS coordinates tagged with the photo? We can access these again using the API with the following search:


OR modify this URL:


Now once you get a series of results back, you will see them in this format with all the metadata:



Viewing the photo is trickier, if you combine the prefix & suffix tags and try to load each of the photos in a browser you will get an error. I.e. "https://fastly.4sqi.net/img/general/xxxxxxxx.jpg" does not work. This is because the system is waiting for an image size parameter to load. Therefore we just need to add width960/ as a folder parameter in the URL like below:

And you now have the image:

Repeat this for all the photos you want to view and you are all set.


Friends

You can also quickly get a JSON packet with a users friends:



Further references for the API are available here: https://developer.foursquare.com/docs/api/users/search


Conclusion

There is a lot of useful information available in Foursquare that is often overlooked or unknown to the OSINT community. If you are exploring social media, definitely have a look through Foursquare and see what you can find. There is also plenty of information and efficiencies available when analysing the Network Traffic in the browser when conducting searches so be sure to check that out as well if you are feeling more technical.


Note: all techniques and use should be for research purposes only and to better understand the platform. We are not responsible for the use of these techniques in any manner.

2,329 views

©2020 by OSINT Combine