WingNews logo WingNews GitHub [2]
top | item 2249829

How to catch invisible friends on GTalk

60 points| DanielRibeiro | 15 years ago |ajatus.in | reply

29 comments

order
[+] Zak|15 years ago|reply
As an exploit demonstration, this is at least noteworthy, maybe even interesting. Actually using it is a bit rude though; people set themselves invisible because they want privacy.
[+] dalore|15 years ago|reply
You could say the invisible people are rude. I've had people who always set themselves to be invisible, but will still talk to you and ask you for stuff. But since they are invisible you can't initiate.
[+] DjDarkman|15 years ago|reply
Yes, but those people usually annoy you with questions from nowhere. But if you need them, you can't tell if they are online. A lot of people are really abusing this feature this way.

My method is to remove people who are offline most of the time, so that they don't get to see my online status in return. I think that online status should be mutual, if I can't see them, they shouldn't be able to see me.

[+] 51Cards|15 years ago|reply
Agreed... interesting exploit but actually having it used on me when I chose to be invisible would be a very good reason to just remove someone from my friends list entirely.
[+] shrikant|15 years ago|reply
A quick-and-dirty way to check if any given person is invisible is to just click on their name and send a message.

If they appear offline, but you don't see a response message that says "<username> is offline and can't receive messages right now.", then they're invisible.

(Only checked this in the desktop Google Talk client and the Gmail chat version)

[+] statictype|15 years ago|reply
This also works in Skype. They do a good job of cloaking calls, but chat sessions have the same 'leak' in that you get an error if they are actually offline but not if they are just invisible.
[+] dalore|15 years ago|reply
You still need to show offline contacts, and if that list is big it can be annoying.
[+] sayrer|15 years ago|reply
even worse, some clients (e.g. Adium) will show invisible users connect and disconnect if you have a conversation open with them.
[+] senko|15 years ago|reply
Python to English translation: you'll still get presence information about the invisible person when you log in, just the presence status will be 'unavailable' (aka. offline).

This will have false-positives for people that genuinely have logged off (which gives the same <presence type='unavailable'/> stanza).

Another way to potentially check whether someone's online or not is to send a caps discovery request (ie. ask their client what XMPP extensions it support). If it replies, they're obviously online (haven't tested this, some clients may in fact be shrewd enough to ignore such requests when set to invisible).

[+] utkarshkukreti|15 years ago|reply
Maybe it's just me, but I'm not getting any presence information from invisible users (was signed in as invisible from Gmail from another account) when I log in.
[+] xtacy|15 years ago|reply
Another fail safe method arises to due a logical reason:

1. Off the record (OTR) chats are not recorded.

2. There is message delivery notification in GTalk.

Putting these together: if you chat OTR with X and later, if you send a message to X (who is invisible) and you get a red error "X did not receive your message", then X is offline. For a normal offline contact, it would have been delivered as an offline message, but since the conversation is OTR, it cannot be recorded and hence you get a notification. :-)

On the other hand, if X is online, you don't get the red message.

[+] wittgenstein|15 years ago|reply
As far as I can see, the script will print out a contact in both of these cases:

1) Contact goes from Online to Invisible

2) Contact goes from Online to Offline by signing off

This effectively means that the script gives you no more information than what you get from the contact list. You can't know if someone went offline or went invisible.

[+] waitwhatwhoa|15 years ago|reply
this trick is not new, and the functionality is available in a couple pidgin plugins: http://www.siorarina.net/google-invisibility-half-scan/ http://www.siorarina.net/google-invisibility-tracker/

Note that if you read that first link, you will see that you used to not only be able to see the "go invisible" event, you were also able to simply scan your entire buddy list for invisible users. Google fixed this 'vulnerability,' but for one reason or another left the ability to see the becomes-invisible event.

[+] ayalgelles|15 years ago|reply
this would make things even funnier:

   message = xmpp.Message(event.getFrom().getStripped(), 'BU!')
   message.setAttr('type', 'chat')
   C.send(message)
[+] koenigdavidmj|15 years ago|reply
Indent by four spaces to get typewriter style

    like this.
[+] lhnz|15 years ago|reply
Would this also work on Facebook chat? (I thought that was based on XMPP, too?)
[+] calloc|15 years ago|reply
Facebook has an XMPP endpoint. However if a user has turned off chat within Facebook they won't even show up as at that point they are really offline.
[+] est|15 years ago|reply
Anyone got a openssl commandline version?
[+] jrockway|15 years ago|reply
The hard part is speaking XMPP, which openssl does not.