- Note: I discovered those hacks a few months ago, which is really a long time for an app like Messenger. When writing this article, I saw that Facebook was really fond of their Instant Games and was releasing them for everybody (it seems I was in the beta), and there are paid contents or upgrades in third-party games. So I think Facebook is going to block those hacks soon. Anyway, this content is intended for educational purposes only. No, just kidding, do what you want but don’t blame me.
- UPDATE: This article was written in 2017. The hack described here probably won’t work on the particular game you are trying to hack. Instead, have a look at this other article.
Almost a year ago, Facebook launched a new feature: games for Messenger. At first, I wanted to use them as environments for some bots but then I discovered some nasty hacks to change your score or even cheat.
Choose your score on any game
When I finally decided to look in the code, it took me only a few minutes to find a javascript trick to set my score although I consider myself as a newbie in javascript.
The first thing to do was to locate the code of the game. You can monitor the network or inspect the nearby elements. The former is more precise but can fail when there is a cache (we will talk about that in the next article), and you learn more about the code by playing with the inspector.
With the Chrome DevTools, it is possible to manipulate the objects of
the FBInstant API to set your score.
Fool your friends 101
1. Launch the game.
A new “window” appears when you load a game (you don’t need to click the “Play Now” blue button, just wait there).
2. Open the DevTools.
On a laptop, the most convenient setup is to display the DevTools vertically on the side of the screen and use the console drawer below.
3. Find the source of the game
The game is loaded in an iframe. You can find it in the sources by looking for “instant-bundle”. Always use the “Elements” tab of the DevTools and not the “View Source” feature for it is not actualised when the page dynamically changes.
It looks like that:
<iframe class="_5_it _2u_i"
src="https://apps-919393791527666.apps.fbsbx.com/instant-bundle/1125470344173147/1343088282442392/index.html?source=fbinstant-919393791527666">
</iframe>
(this it the PAC-MAN game)
4. Select the #document element in the iframe
Now you should be able to use the FBInstant javascript object from the
console.
I understood later that this was the API of Facebook for the devs and
that selecting #document allowed the DevTools to “attach” the console
to the javascript environment of the iframe. Anyway, it offers a nice
function setScore.
Alternative to the steps 3 and 4
You can also change the context of the console by clicking on the context list, just below the “Elements” button in the Console tab of the DevTools. It looks like a drop-down list defaulting to “top”.
Choose the one with a name looking like:
apps-919393791527666.apps.fbsbx.com
This should also highlight the frame of the game.
5. Launch this command
FBInstant.setscore(42)
to set your score. When you close the game frame, your score appears in the conversation and is shared with your friends.
Alternatively, it seems some people use the following command instead:
js_FBInstantSetScore(42)
If none of those works for you, you can drop me an email.
Warning: cheating at PAC-MAN or Master Archer can ruin friendships.
What’s next?
Unfortunately, it is not possible to automate this process because of the cross-origin policy, although it doesn’t take a lot of time to do it by hand.
I neither explored more the FBInstant object nor found the documentation about it. Maybe there are other funny functions :)
With this little hack, you can set your score. But there are games with persistant states in which you can win money and buy upgrades (like EverWing). In the next article, we will see how to cheat and modify the variables and behavior of almost any game.