Foursquare - The Hidden OSINT Gem

Foursquare was originally built in 2009 as a check-in technology. It is often overlooked as an OSINT source because it is all about business locations, reviews and identifying what is around you at a given time (when using the app). However this platform has 60 million registered users, and 50 million active users every month as of 2019. That's significant and the platform is alive and well.


So what can we gain from exploring the platform data? - a lot!


Foursquare Search Tool:

The first thing we'll point out is their organic search tool:

If you search without logging in you will only return results of Places & Pages. Searching for "John Doe" returns the following:




If we want people profiles we will need to create an account. Luckily there is very little verification required to sign-up so go ahead and create a user account using whichever means you see appropriate. This will open a lot more search options and let us explore the API where the real value is further in this article. Conduct the search "John Doe" again once logged in and you will return these results:




We now have "People" profiles to explore.


The default search takes you to profiles near your "Current Location" or a location you specify. We can modify the URL to remove this and just return results based on the name only:

Simple change "John" to your persons name, and you will see the other parameters as blank now.



Geo Search:

The built in search tool allows you to search for a query + named location. However, if you modify the URL you can search for Latitude and Longitude for more accurate results. Below is an example:

Modify the lat & long and you can narrow down the results. We are unsure of the radius this uses, so test and adjust based on your own requirements.



Exploring Profiles

The first thing we can use to start building an understanding of the individual is Tips, Followers, Following and Lists.


Profile Markers:

The Tips section can give us insight into where the person has been, the vernacular they use and habitual markers by analysing their comments on particular places. These are all useful data points when conducting the analysis phase.




Also note that if the user has a social media account associated on another platform (i.e. Facebook) then the platforms icon will appear next to the profile image.


Photos:

There isn't a link on the normal page but you can access a users photos through the following URL:

The USER ID will be auto populated in the URL when you click into the profile once found through search.


Network Analysis:

The Followers & Following section is somewhat useful to identifying associates, but you will need to put in the work to identify common friends by scraping the lists, loading them into a spreadsheet and graphing them out. How? - follow the process below:

  1. Scrape the followers of a user

  2. Place in a spreadsheet. Column A = USER PROFILE, Column B = FOLLOWER PROFILE

  3. For each follower profile, repeat steps 1 & 2 but always loading the data into the same spreadsheet.

You will have something like this (and auto-graph it with https://databasic.io/en/connectthedots):





API & Advanced Search

The default interface does not allow you to explore a users photos. For this we need to explore using the API. Don't worry, there is a GUI to achieve this with only minor technical knowledge required.


Access the API explorer for user search here (you need to be logged in):

We pre-populated "John Doe" search based on name in the URL, but you can search using the following parameters: