Unzuckify

This repository has a small Python application which allows me to
receive an email notification when somebody sends me a Facebook
message.

Why?

I don’t like Facebook as a company, and I don’t want to support them
by using their products, including Messenger. However, when I came
around to this point of view, I already had a number of existing
contacts on Messenger. I migrated everyone I talked to regularly onto
other platforms, but in case someone messaged me out of the blue, I
still wanted to know about that, so I could redirect them onto Signal
or SMS.

With the help of this application, I can make sure I won’t miss it
when a very old contact happens to message me on Facebook, while not
having to ever actively check Messenger or keep it on my phone.

How?

I reverse-engineered the Messenger authentication flow and the
recently
rewritten

GraphQL API, and created a command-line utility that can,
in the same manner as the browser:

  • Fetch the list of threads that would show up on Messenger, their
    names, the users in each thread, the last message that was sent, who
    sent it, and whether it is unread according to the server.
  • Send a message to a thread.
  • Mark a thread as read if it is unread.

This all turned out to be fairly straightforward. The protocol and
code is obfuscated, but nowhere near enough to foil basic reverse
engineering techniques.

After creating the command-line utility, I wrote a Bash script that
wrapped it with the following logic:

  1. Fetch my list of threads.
  2. Identify any threads that have unread messages and use
    SendGrid to notify me about them via
    email.
  3. Mark those threads as read.
  4. Login to a separate Facebook account and send my primary account a
    random inspirational quote by direct message.
  5. In step 2, the notifications for messages from the account in step
    4 are sent to a separate email address that is monitored by Dead
    Man’s Snitch
    . This, combined with
    step 4, ensures that as long as everything is in working order,
    Dead Man’s Snitch will get an email every time I run the script.

Then I run the script on a cron job every few hours. If I get a
message, it’s forwarded to email. If the API changes out from under
me, or something else goes wrong, I also get an email because Dead
Man’s Snitch will stop receiving notifications.

Prior work

I previously used Messenger
Mirror
to accomplish
the same thing as this project. However, because Messenger Mirror
relied on having an entire Chrome instance running in Selenium 24/7, I
didn’t want to have that running on my laptop (it would eat resources
for no good reason). Unfortunately, after a couple weeks, Facebook
banned the IP for my VPS, so I couldn’t run the application there
anymore. This is what inspired me to try reverse engineering the
browser API directly, since if I did that, it would be far less
resource intensive to run the application on my laptop in the
background.

Setup

If you just want to use the CLI (perhaps as proof of concept for
developing your own Messenger client using the reverse engineered
API), setup is quite simple. Install
Poetry, run poetry install and poetry shell, then you are good to go:

% ./unzuckify.py -u [email protected] -p your-password -v inbox
% ./unzuckify.py -u [email protected] -p your-password -v send
    -t thread-id-from-inbox -m "Some text message"
% ./unzuckify.py -u [email protected] -p your-password -v read
    -t thread-id-from-inbox

Cookies are automatically cached in ~/.cache/unzuckify/cookies.json,
and are separated per email address so you can use different accounts
in parallel. Omit -v to not log all the intermediate debugging info.
Only inbox prints to stdout, and the output is JSON.

If you additionally want to set up a Messenger-to-email bridge like I
have, then you should install jq and
sign up for a free SendGrid account. Also go
to Heroku, provision a Dead Man’s
Snitch
addon, and get the email endpoint
for the snitch. Then create a .env file in the repo as follows:

[email protected]  # facebook login
PRIMARY_PASSWORD='your-password'

[email protected]  # 2nd account login
SECONDARY_PASSWORD='other-password'

SENDGRID_API_KEY=SG.REDACTED  # from SendGrid
[email protected]  # from Dead Man's Snitch
SENTINEL_NAME='John Smith'  # Facebook name of 2nd account

[email protected]  # SendGrid verified sender
[email protected]  # where to receive notifications

Note for FROM_EMAIL, ideally you own a domain and can prove
ownership of it, and this email is on that domain. According to the
SendGrid documentation, if you use something like a Gmail address,
your notifications are likely to get flagged by spam filters because
it can be proven that Gmail was not actually the one to send the
email, which looks suspicious. If you don’t own a personal domain, may
I suggest doing business with Namecheap and
Forward Email?

Now you just need to set up the script to run on a semi-regular basis,
for example by creating a cron job:

crontab - <<"EOF"
0 */3 * * * sh -c '. "$HOME/.profile" && ~/dev/unzuckify/unzuckify.bash'
EOF

GitHub

View Github