Louis Abraham's Home Page

How to hack Facebook Messenger Games 1/2

05 Jul 2017


Almost a year ago, Facebook launched a new feature: games for Messenger. At first, I wanted to use them as environments for some bots but then I discovered some nasty hacks to change your score or even cheat.

Choose your score on any game

When I finally decided to look in the code, it took me only a few minutes to find a javascript trick to set my score although I consider myself as a newbie in javascript.

The first thing to do was to locate the code of the game. You can monitor the network or inspect the nearby elements. The former is more precise but can fail when there is a cache (we will talk about that in the next article), and you learn more about the code by playing with the inspector.

With the Chrome DevTools, it is possible to manipulate the objects of the FBInstant API to set your score.

Fool your friends 101

1. Launch the game.

A new “window” appears when you load a game (you don’t need to click the “Play Now” blue button, just wait there).

2. Open the DevTools.

On a laptop, the most convenient setup is to display the DevTools vertically on the side of the screen and use the console drawer below.

3. Find the source of the game

The game is loaded in an iframe. You can find it in the sources by looking for “instant-bundle”. Always use the “Elements” tab of the DevTools and not the “View Source” feature for it is not actualised when the page dynamically changes.

It looks like that:

<iframe class="_5_it _2u_i"
src="https://apps-919393791527666.apps.fbsbx.com/instant-bundle/1125470344173147/1343088282442392/index.html?source=fbinstant-919393791527666">
</iframe>

(this it the PAC-MAN game)

4. Select the #document element in the iframe

Now you should be able to use the FBInstant javascript object from the console.

I understood later that this was the API of Facebook for the devs and that selecting #document allowed the DevTools to “attach” the console to the javascript environment of the iframe. Anyway, it offers a nice function setScore.

Alternative to the steps 3 and 4

You can also change the context of the console by clicking on the context list, just below the “Elements” button in the Console tab of the DevTools. It looks like a drop-down list defaulting to “top”.

Choose the one with a name looking like:

apps-919393791527666.apps.fbsbx.com

This should also highlight the frame of the game.

5. Launch this command

FBInstant.setscore(42)

to set your score. When you close the game frame, your score appears in the conversation and is shared with your friends.

Alternatively, it seems some people use the following command instead:

js_FBInstantSetScore(42)

If none of those works for you, you can drop me an email.

Warning: cheating at PAC-MAN or Master Archer can ruin friendships.

What’s next?

Unfortunately, it is not possible to automate this process because of the cross-origin policy, although it doesn’t take a lot of time to do it by hand.

I neither explored more the FBInstant object nor found the documentation about it. Maybe there are other funny functions :)

With this little hack, you can set your score. But there are games with persistant states in which you can win money and buy upgrades (like EverWing). In the next article, we will see how to cheat and modify the variables and behavior of almost any game.