Feel Like You’re Hacking, Step 5: Easy as API

Photos, unsurprisingly, can be very revealing on the web, as we learned in Step Four. But even something innocuous like the existence of a social media account can be revealing.

We can get a website to reveal some data through its API, the system the website uses to interact with other websites and programs. Like with the designers’ web console and the photographers’ EXIF data, we’re going to hijack this resource for our own reporting purposes.

This API console may look code-heavy, but don’t be scared. It’s a point-and-click tool; you just have to let your eyes adjust to reading the data in this format. The console works for a ton of different sites, like Facebook, Instagram, and YouTube, but we’re going to use it for Twitter. You may have to authorize this app to access your Twitter account in order to use it.


Click on statuses/user_timeline.json, the second option in the left-hand column, to request a user’s timeline. You can fine-tune your results by choosing the dates, the number of tweets (the API calls them “statuses”), and a few other parameters. Put your own screen name into the “screen_name” field, and click the red Send button on the right.

If you get a message that says “This Method needs Authentication“, click the dropdown menu up under Authentication and select OAuth 1. OAuth is a way of allowing a third party one-time access your account without giving it credentials like your password. If you click the orange “Sign in with Twitter” button, it will show you a list of the ways apigee can access your Twitter data.

Once you’ve signed in, the console will shoot back to you a variety of data on your most recent tweets. And – this is perhaps most interesting to us – it’ll give you data on the user itself. For example, my return is:

"user": {
      "id": 74387024,
      "id_str": "74387024",
      "name": "Samantha Sunne",
      "screen_name": "SamanthaSunne",
      "location": "Washington, DC",
      "description": "@NPR investigations intern, @hackshackersdc organizer. Living every week like it's Sunshine Week.",
      "url": "http://t.co/4xhnqQbAz0",

and below that, even more:

"protected": false,
      "followers_count": 323,
      "friends_count": 211,
      "listed_count": 16,
      "created_at": "Tue Sep 15 06:53:49 +0000 2009",
      "favourites_count": 17,

I won’t paste it all here, but we can learn a lot from this returned data. Now we know:

  • My Twitter user id, name and number
  • My location, website and everything else I put in my Twitter profile
  • The time and date I first created this Twitter account
  • The number of people I follow, tweets I favorited, etc.

If you keep reading, you’ll see “src” links to the image files that make up my profile picture and background. We can check for more info on a person, or download their photo, by using the techniques we learned in Step One.

Inside the API console, there’s a bar that looks like a web address bar. It says:


arrowReplace “samanthasunne” with any Twitter username to see that user’s data. Open the black bar on the left to see a list of different data sets you can request. The dropdown menu under API lets you change the API – e.g., the website – you’re requesting data from.

We’re going to move on to one last social media hacking tool with Facebook Graph Search in STEP SIX.

Leave a Reply

Your email address will not be published. Required fields are marked *